Edit tour

Windows Analysis Report
U6ghPv3E7k.exe

Overview

General Information

Sample name:	U6ghPv3E7k.exe renamed because original name is a hash value
Original sample name:	3c9bc8ec388807318127107c760233483bbba43a9c186eb7ed794d8fe4ffeb44.exe
Analysis ID:	1546123
MD5:	00ba1e1d154e18d1124d87934fae9f20
SHA1:	41bfc98b2b24f4f70852f2de62c08e3c2aaf85ad
SHA256:	3c9bc8ec388807318127107c760233483bbba43a9c186eb7ed794d8fe4ffeb44
Tags:	exevacationtogotravels-netuser-JAMESWT_MHT
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Use Short Name Path in Command Line

Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

System is w10x64

U6ghPv3E7k.exe (PID: 5640 cmdline: "C:\Users\user\Desktop\U6ghPv3E7k.exe" MD5: 00BA1E1D154E18D1124D87934FAE9F20)

conhost.exe (PID: 5892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

iexplore.exe (PID: 5532 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding MD5: CFE2E6942AC1B72981B3105E22D3224E)

iexplore.exe (PID: 3688 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5532 CREDAT:17410 /prefetch:2 MD5: 6F0F06D6AB125A99E43335427066A4A1)

ssvagent.exe (PID: 6152 cmdline: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new MD5: F9A898A606E7F5A1CD7CFFA8079253A0)

cleanup

Sigma Signatures

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, CommandLine: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, CommandLine|base64offset|contains: w, Image: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, NewProcessName: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, OriginalFileName: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, ParentCommandLine: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5532 CREDAT:17410 /prefetch:2, ParentImage: C:\Program Files (x86)\Internet Explorer\iexplore.exe, ParentProcessId: 3688, ParentProcessName: iexplore.exe, ProcessCommandLine: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, ProcessId: 6152, ProcessName: ssvagent.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Program Files\Internet Explorer\iexplore.exe, ProcessId: 5532, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T14:32:37.044546+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.5	49708	TCP
2024-10-31T14:33:15.592916+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.5	49931	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49901 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49932 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49961 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49997 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49999 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50004 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50006 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50008 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50009 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50011 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50015 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50020 version: TLS 1.2

Source: U6ghPv3E7k.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View

JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49708
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49931

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vacationtogotravels.netConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: vacationtogotravels.net

Source: unknown

HTTP traffic detected: POST /register HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-CHUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: vacationtogotravels.netContent-Length: 8Connection: Keep-AliveCache-Control: no-cache

Source: U6ghPv3E7k.exe, 00000000.00000003.2203274887.000002D47C23E000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2194792115.000002D47C23E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vacationtogotravels.net/register
Source: U6ghPv3E7k.exe, 00000000.00000003.2257822965.000002D47C2C6000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2218327326.000002D47C24F000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2254497955.000002D47C2C6000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2251266127.000002D47C24B000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2254920750.000002D47C2C6000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2248276830.000002D47C2D3000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2256754273.000002D47C2C6000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2245514478.000002D47C290000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2257911553.000002D47C2CD000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2215564565.000002D47C24D000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2219233771.000002D47C24B000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2246626009.000002D47C2D1000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2245701697.000002D47C24B000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2251266127.000002D47C2C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vacationtogotravels.net/upload

Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49901 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49932 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49961 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49997 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49999 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50004 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50006 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50008 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50009 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50011 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50015 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50020 version: TLS 1.2

Source: classification engine

Classification label: clean3.winEXE@7/28@1/1

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5892:120:WilError_03

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF4C4ABBEFBEE1C868.TMP

Jump to behavior

Source: U6ghPv3E7k.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Internet Explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\U6ghPv3E7k.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\U6ghPv3E7k.exe "C:\Users\user\Desktop\U6ghPv3E7k.exe"
Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5532 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5532 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new	Jump to behavior

Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\U6ghPv3E7k.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: U6ghPv3E7k.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: U6ghPv3E7k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: U6ghPv3E7k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: U6ghPv3E7k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: U6ghPv3E7k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: U6ghPv3E7k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: U6ghPv3E7k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: U6ghPv3E7k.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: U6ghPv3E7k.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: U6ghPv3E7k.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: U6ghPv3E7k.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: U6ghPv3E7k.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: U6ghPv3E7k.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: U6ghPv3E7k.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: U6ghPv3E7k.exe	Static PE information: section name: .msvcjmc
Source: U6ghPv3E7k.exe	Static PE information: section name: _RDATA

Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\U6ghPv3E7k.exe TID: 3140

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
U6ghPv3E7k.exe	3%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
vacationtogotravels.net	89.221.225.227	true	false		unknown

Contacted URLs

Name	Malicious	Reputation
https://vacationtogotravels.net/upload	false	unknown
https://vacationtogotravels.net/favicon.ico	false	unknown
https://vacationtogotravels.net/register	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
89.221.225.227	vacationtogotravels.net	Russian Federation		41691	SUMTEL-AS-RIPEMoscowRussiaRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546123
Start date and time:	2024-10-31 14:31:28 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	U6ghPv3E7k.exe renamed because original name is a hash value
Original Sample Name:	3c9bc8ec388807318127107c760233483bbba43a9c186eb7ed794d8fe4ffeb44.exe
Detection:	CLEAN
Classification:	clean3.winEXE@7/28@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, ielowutil.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.89.167, 2.23.209.143, 2.23.209.133, 2.23.209.149, 2.23.209.135, 2.23.209.140, 2.23.209.154, 2.23.209.193, 2.23.209.132, 2.23.209.130, 204.79.197.200
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, e11290.dspg.akamaiedge.net, go.microsoft.com, e86303.dscx.akamaiedge.net, any.edge.bing.com, ocsp.digicert.com, www.bing.com.edgekey.net, go.microsoft.com.edgekey.net, ieonline.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtSetValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: U6ghPv3E7k.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
89.221.225.227	RafaelConnect.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
vacationtogotravels.net	RafaelConnect.exe	Get hash	malicious	Unknown	Browse	89.221.225.227

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SUMTEL-AS-RIPEMoscowRussiaRU	RafaelConnect.exe	Get hash	malicious	Unknown	Browse	89.221.225.227
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	109.172.94.66
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	109.172.94.66
	sh4.elf	Get hash	malicious	Unknown	Browse	87.117.138.145
	yakuza.i686.elf	Get hash	malicious	Unknown	Browse	178.130.55.72
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	109.172.60.44
	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	109.172.88.38
	antispam_connect1.exe	Get hash	malicious	GO Backdoor	Browse	109.172.88.38
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	89.221.206.246
	wa_3rd_party_host_32.exe	Get hash	malicious	GO Backdoor	Browse	109.172.88.38

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
6271f898ce5be7dd52b0fc260d0662b3	RafaelConnect.exe	Get hash	malicious	Unknown	Browse	89.221.225.227
	https://saniest.com/PO/PO%20-%20OCT.'24673937.rar	Get hash	malicious	Unknown	Browse	89.221.225.227
	Paiement.eml	Get hash	malicious	HTMLPhisher	Browse	89.221.225.227
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	89.221.225.227
	http://wesiakkaernten.fibery.io/@public/forms/gBNXdAWE	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	89.221.225.227
	PO-004976.xls	Get hash	malicious	Unknown	Browse	89.221.225.227
	NUEVA ORDEN DE COMPRA 73244.xla.xlsx	Get hash	malicious	Unknown	Browse	89.221.225.227
	-Payout Salary Benefits.zip	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	89.221.225.227
	https://forthedoglover.com/Ray-verify.html	Get hash	malicious	Unknown	Browse	89.221.225.227
	FW Complete with Docusign Remittance Advice .pdf.eml	Get hash	malicious	Unknown	Browse	89.221.225.227

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.8046022951415335
Encrypted:	false
SSDEEP:	24:suZOWcCXPRS4QAUs/KBy3TYI42Apvl6wheXpktCH2Yn4KgISQggggFpz1k9PAYHu:HBRh+sCBykteatiBn4KWi1+Ne
MD5:	DA597791BE3B6E732F0BC8B20E38EE62
SHA1:	1125C45D285C360542027D7554A5C442288974DE
SHA-256:	5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
SHA-512:	D8DC8358727590A1ED74DC70356AEDC0499552C2DC0CD4F7A01853DD85CEB3AEAD5FBDC7C75D7DA36DB6AF2448CE5ABDFF64CEBDCA3533ECAD953C061A9B338E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	...... .... .........(... ...@..... ...................................................................................................................................................................................................N...Sz..R...R...P...N..L..H..DG..........................................................................................R6..U...U...S...R...P...N..L..I..F..B...7...............................................................................S6..V...V...U...S...R...P...N..L..I..F..C...?..:z......................................................................O...W...V...V...U...S...R...P...N..L..I..E..C...?...;..{7..q2$..............................................................T..D..]...S)..p6..J...R...P...N..L..I..E..B..>..;..z7..p2..f,X.........................................................A..O#..N!..N!..N!..P$..q:...P...N..K..I..E..A..=..9..x5..n0..e,...5...................................................Ea.Z,..T$..T$..T

Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	1282
Entropy (8bit):	4.385669629869206
Encrypted:	false
SSDEEP:	24:w/k5OmKMM/1RKOMFMUbasvCYn+zR38zH7rp2BOb6w3A8djX:w/k5Omn61RKONyZTn+zRqPwBi3AU
MD5:	D0FA4A18E595FD157B6992AD09611524
SHA1:	C6ACC6DF94C2D0E77822E17993221BD2642FA261
SHA-256:	221CDE54892CBAA0C32DCAADBF259DAEF8AA8DBFCCBFE01C5188E5A42698E1C0
SHA-512:	9495AA9A51FCFCF6DD65C593AF0DA37BF816AF267A7653B1035E282062FF263C28B069139521AE7BCD7FABEC4B478AA07C2270C55D5BA43E1651A82E80438489
Malicious:	false
Preview:	........+.h.t.t.p.s.:././.v.a.c.a.t.i.o.n.t.o.g.o.t.r.a.v.e.l.s...n.e.t./.f.a.v.i.c.o.n...i.c.o.~............... .h.......(....... ..... .....................................................................................................................................................................................................................................................................................................Y..1..&...?..............b........................... ...L.,...3{....O...[...9...................................].....g......}..)p....................................................."...!z..!u..............................................;............k..q.......................................mmp.........[...J...e.......................................................................WVY.LKN.YX[.....................................................FFI.jjl.................................................}}............................................

Process:	C:\Users\user\Desktop\U6ghPv3E7k.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	44
Entropy (8bit):	5.033184175406308
Encrypted:	false
SSDEEP:	3:7/YkttmNFjESjHH7HBY:7Nt462bu
MD5:	52005468EE51D684E8D726ECA3C07F4D
SHA1:	D8B11B8F88065A89388ECDE317519CA562E6FE49
SHA-256:	FC309DC28B9FA00BFB9FCB66FC0BA34D574D2BC278B294CC473044116EEC53F8
SHA-512:	F725D1D500A98D7BAD4408B5662405D30394B892B5A7A5C0A739B878F619E51810658266DFAC6C266488EA46D2845D29F248921F400B9506690570E1411053D7
Malicious:	false
Preview:	+1Z2m5QzOHnneu2SJpWFUFh35bqRIb/9oEkewHYvR24=

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.05692913454477
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	U6ghPv3E7k.exe
File size:	576'000 bytes
MD5:	00ba1e1d154e18d1124d87934fae9f20
SHA1:	41bfc98b2b24f4f70852f2de62c08e3c2aaf85ad
SHA256:	3c9bc8ec388807318127107c760233483bbba43a9c186eb7ed794d8fe4ffeb44
SHA512:	8cdf2952bd464f459fea335c6e79f52884aedbebd967a41cd97c27ba1f49c10093c2545b5abcca6275199aaa4c49ad64b12c671cccb2e7f3995faed190fdb9cc
SSDEEP:	12288:wrehgmo0WYgeWYg955/155/e/MxDuFB45w8xD2ovd9:wrehMsMoFBI3p209
TLSH:	40C4F43A62D4F1E5E066903CC84275F6E6727CD8CF1186DFAA94BE567E325F0193AB00
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|.V.\|.V.\|.V...W.\|.V...WJ\|.Vy..W.\|.Vy..W.\|.Vy..W.\|.V...W.\|.V...W.\|.V.\|.VA\|.Vw..W.\|.Vw..W.\|.Vw..W.\|.Vw.4V.\|.Vw..W.\|.VRich.\|.

Entrypoint:	0x140024338
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x671A6A5D [Thu Oct 24 15:40:13 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d41245333f8603e0e59f39f6ce5f573b

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6ee78	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7d000	0x156a9	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x76000	0x4548	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x93000	0x1144	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x64aa0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x64b00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x64960	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x52000	0x448	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x502e4	0x50400	df003863cf76063a0c3c8b781717ce24	False	0.5187250535436138	data	6.48899250595572	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x52000	0x1dc74	0x1de00	984fb9e779b583760586a8e241601f75	False	0.41123496338912136	data	5.040083060952944	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x70000	0x5b28	0x2e00	723ab00cb35ad5e9796cc9670b0fae1b	False	0.16805366847826086	data	4.031587734903732	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x76000	0x4548	0x4600	b9e9391e381e3a2d75874bb619790f3d	False	0.4786830357142857	data	5.65347773255456	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.msvcjmc	0x7b000	0x28b	0x400	7ecebdaafe87386a24fcecfd38060ff9	False	0.01953125	Targa image data - Map (257-257) 257 x 257 x 1 +257 +257 - 1-bit alpha "\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001"	0.9461608308144216	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x7c000	0x15c	0x200	1ecdd21de31546ab16fc30a1f941ed05	False	0.40625	data	3.322564532023261	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x7d000	0x156a9	0x15800	af6263ef071db27365cc57a65a97e9f1	False	0.0866188226744186	data	2.1499530063549184	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x93000	0x1144	0x1200	2a5fd688c7619d7906b4c33de5d5fd6a	False	0.4077690972222222	data	5.390730016539296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x7d528	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024			0.23049645390070922
RT_ICON	0x7d990	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1600			0.19476744186046513
RT_ICON	0x7e048	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304			0.14672131147540984
RT_ICON	0x7e9d0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096			0.1198405253283302
RT_ICON	0x7fa78	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6400			0.09437869822485206
RT_ICON	0x814e0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216			0.08246887966804979
RT_ICON	0x83a88	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384			0.06170288143599433
RT_ICON	0x87cb0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024			0.23049645390070922
RT_ICON	0x88118	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1600			0.19476744186046513
RT_ICON	0x887d0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304			0.14672131147540984
RT_ICON	0x89158	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096			0.1198405253283302
RT_ICON	0x8a200	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6400			0.09437869822485206
RT_ICON	0x8bc68	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216			0.08246887966804979
RT_ICON	0x8e210	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384			0.06170288143599433
RT_GROUP_ICON	0x92438	0x14	data			1.1
RT_GROUP_ICON	0x9244c	0x14	data			1.25
RT_GROUP_ICON	0x92460	0x14	data			1.25
RT_GROUP_ICON	0x92474	0x14	data			1.2
RT_GROUP_ICON	0x92488	0x14	data			1.25
RT_GROUP_ICON	0x9249c	0x14	data			1.25
RT_GROUP_ICON	0x924b0	0x14	data			1.25
RT_GROUP_ICON	0x924c4	0x68	data			0.7884615384615384
RT_MANIFEST	0x9252c	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

DLL	Import
KERNEL32.dll	DecodePointer, CloseHandle, GetLastError, CreatePipe, InitializeCriticalSectionEx, DeleteCriticalSection, WaitForSingleObject, Sleep, CreateProcessW, GetConsoleWindow, WriteFile, QueryPerformanceFrequency, QueryPerformanceCounter, WriteConsoleW, SetStdHandle, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, ReadFile, GetFileSize, CreateFileW, SetLastError, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, HeapSize, HeapReAlloc, ReadConsoleW, SetFilePointerEx, GetFileSizeEx, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, GetFileType, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, EnterCriticalSection, LeaveCriticalSection, GetCurrentThreadId, WideCharToMultiByte, EncodePointer, MultiByteToWideChar, LCMapStringEx, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetStringTypeW, GetCPInfo, InitializeSListHead, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetCurrentProcessId, OutputDebugStringW, RaiseException, RtlPcToFileHeader, RtlUnwindEx, InterlockedPushEntrySList, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, GetStdHandle, GetCommandLineA, GetCommandLineW, HeapFree, HeapAlloc, RtlUnwind
USER32.dll	GetSystemMetrics, ShowWindow, ReleaseDC, GetDC
GDI32.dll	DeleteObject, DeleteDC, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt, SelectObject
ole32.dll	CoUninitialize, CoCreateInstance, CoInitialize, CreateStreamOnHGlobal
OLEAUT32.dll	SysAllocString, SysFreeString, SysStringLen, SafeArrayCreate, SafeArrayAccessData, SafeArrayUnaccessData, VariantInit, VariantClear
SHLWAPI.dll	PathFileExistsW
gdiplus.dll	GdipDisposeImage, GdipCreateBitmapFromHBITMAP, GdipGetImageEncodersSize, GdipCloneImage, GdipGetImageEncoders, GdiplusShutdown, GdiplusStartup, GdipFree, GdipSaveImageToStream, GdipAlloc

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 14:32:31.934150934 CET	58816	53	192.168.2.5	1.1.1.1
Oct 31, 2024 14:32:32.619671106 CET	53	58816	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:32:33 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:32:33 UTC	8	OUT	Data Raw: 26 61 ab 21 10 03 00 00 Data Ascii: &a!
2024-10-31 13:32:34 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:32:34 GMT Connection: close Content-Length: 44
2024-10-31 13:32:34 UTC	44	IN	Data Raw: 2b 31 5a 32 6d 35 51 7a 4f 48 6e 6e 65 75 32 53 4a 70 57 46 55 46 68 33 35 62 71 52 49 62 2f 39 6f 45 6b 65 77 48 59 76 52 32 34 3d Data Ascii: +1Z2m5QzOHnneu2SJpWFUFh35bqRIb/9oEkewHYvR24=

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:32:35 UTC	212	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: vacationtogotravels.net Connection: Keep-Alive
2024-10-31 13:32:35 UTC	312	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: image/x-icon Last-Modified: Mon, 25 Sep 2023 13:01:08 GMT ETag: "1695646868.0-1150-965286158" Server: Microsoft-IIS/10.0 Content-Disposition: inline; filename=favicon.ico Date: Thu, 31 Oct 2024 13:32:35 GMT Connection: close Content-Length: 1150
2024-10-31 13:32:35 UTC	1150	IN	Data Raw: 00 00 01 00 01 00 10 10 00 00 01 00 20 00 68 04 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 12 0b 00 00 12 0b 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fe ff fe fe fd ff ff ff ff ff ff ff ff ff ff fe fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fe ff ff ff ff ff ff ff ff ff ff ff ff ff fc fb f9 ff ff fe fd ff fd fc fc ff ff ff ff ff fe fd fa ff fd fd fc ff ff ff ff ff ff fe fc ff ff fe fb ff fc fc fa ff fe fe fd ff ff ff fe ff ff ff ff ff ff ff fe ff ff fe fd ff ff ff ff ff fb Data Ascii: h(

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:32:37 UTC	326	OUT	POST /upload HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 697244 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:32:37 UTC	16355	OUT	Data Raw: 10 03 00 00 31 16 b5 04 90 a3 0a 00 e1 05 ef 78 8d 71 38 fc b4 07 e1 71 da a6 01 b1 b0 af a5 f0 9a ec ef 34 2a 00 5b 39 7f 3b 47 c4 e1 31 bd 21 da 44 da 0e 7a d4 b4 b6 75 99 e7 d6 fd d3 85 7a 05 0d dc 40 67 ad dc a7 05 46 18 64 52 d7 19 20 49 a6 8e 49 b7 5f 50 71 47 a7 86 18 1d aa fe 4e 12 0c f2 08 73 25 1f cb 35 5c 0c 1e a7 46 87 da 4b 05 73 b5 53 31 39 92 c0 b1 e0 f4 3b 7c 03 7c a1 f8 77 cd 44 2a 80 a5 56 ee 42 cf 73 c4 c5 88 ff 20 74 9b 5a 0f b1 4f d2 1f 52 c0 da ee e6 b9 5d 1b c2 ed ba 10 d8 fd ee ad db 7d 50 bc 78 1d 99 99 43 95 f4 64 77 55 65 ed 85 34 1d f5 ce 02 2e 61 ab 9e 73 da 24 b3 d7 28 bc ca e3 65 6d f6 38 6a a4 1f 61 29 d8 ac 49 f9 28 0c e8 45 04 63 8f 10 de 33 69 ec c7 71 70 72 51 7d 12 98 14 88 68 d0 62 02 2a 5c 67 78 34 b5 a2 d9 5a af 98 Data Ascii: 1xq8q4[9;G1!Dzuz@gFdR II_PqGNs%5\FKsS19;\|\|wDVBs tZOR]}PxCdwUe4.as$(em8ja)I(Ec3iqprQ}hb*\gx4Z
2024-10-31 13:32:37 UTC	16355	OUT	Data Raw: 6a 01 3a 7f 47 bb ba 4e 2a 2d 65 8e 93 67 76 dc c4 b6 73 11 54 d6 f5 fd 0c ea a4 1e 6f 6c 6e 6d e0 b6 22 f8 33 34 6e 7d 05 12 10 53 5b 8a d2 71 1e 23 9a eb 40 bd 24 fd 0f e5 0c 47 12 b0 7a 63 2a 7a d4 df 08 11 9c 73 ed 0e 00 1a 0d c9 cf f0 95 7c fb 96 e4 6a de bd 6c 10 fe 89 c5 4e a1 73 60 51 15 04 a8 e0 68 b8 5a 1f 54 5b 89 b0 6b db 33 e3 47 9a d7 55 45 fd 64 48 e6 0a 23 2a a9 7d f2 f7 56 b4 91 59 38 ab 67 40 1a d1 f9 53 68 e0 6e aa 4a 50 ee 25 d7 74 a6 de 70 a8 c7 ea dc 8f cc 91 5b 7f 67 76 84 30 00 a9 8f b5 b9 ec 04 29 b6 d1 92 7c c4 2d 38 ed 26 3a 3d 5f 66 95 9b aa f8 1c d2 1a a9 b1 07 91 d3 af b4 f2 1f a9 7c 37 e8 a7 c0 12 fa 95 b2 c8 e2 e9 e3 59 f2 b0 a6 fa 44 f6 43 be ed 53 f8 56 32 f6 c0 83 48 20 43 b8 2d d0 67 6e d2 63 af c2 cb d8 1f 1b d2 3f 7b Data Ascii: j:GN-egvsTolnm"34n}S[q#@$Gzczs\|jlNs`QhZT[k3GUEdH#*}VY8g@ShnJP%tp[gv0)\|-8&:=_f\|7YDCSV2H C-gnc?{
2024-10-31 13:32:37 UTC	16355	OUT	Data Raw: 5a 5a eb 47 b7 82 a2 f0 74 4f cd f5 85 7e 6b a1 14 a4 dd d4 ac 34 88 ee 93 55 3f 02 8e 19 03 45 4e 55 30 33 8f 95 d8 11 fa 64 68 da 10 b7 03 ce 79 b4 9e 35 0b 42 2a af 52 3a a8 68 40 1d 23 4a 5b d3 2d 48 b6 be 93 45 a7 f6 6a 83 7b 82 35 db b6 2f e2 cd a8 79 2d d3 ce 8a b1 be 64 20 24 6a 91 0c 44 d4 92 22 18 75 ea 7f ad 24 43 f2 71 3c 59 c2 b7 8a b3 14 4b af 0e c1 7f 38 7b 17 b2 7f 6c 96 28 d7 89 cb 90 d3 3e 42 71 52 d5 5f 88 32 5b 50 a5 c7 d3 b1 4c c8 49 44 b1 6f f3 25 0f 21 aa 22 35 e3 03 a6 2b db 49 15 e6 e9 ce 16 53 c0 fc 35 15 07 c2 a2 57 4c 35 38 4a c5 df aa 4e 0d 48 4b 38 6d d1 93 3a 38 26 49 29 c5 d0 4f 92 2a a8 24 c3 cc 0e 9c 2b 05 86 15 8d 67 98 9a 43 bb 06 a8 76 2b a8 fd 8c 51 b3 00 db d6 d9 fb bc 77 40 eb 02 36 69 36 43 1a 65 d7 97 f5 a2 53 8d Data Ascii: ZZGtO~k4U?ENU03dhy5BR:h@#J[-HEj{5/y-d $jD"u$Cq<YK8{l(>BqR_2[PLIDo%!"5+IS5WL58JNHK8m:8&I)O$+gCv+Qw@6i6CeS
2024-10-31 13:32:37 UTC	16355	OUT	Data Raw: b6 7a 94 77 91 f0 5f 1b 11 94 05 85 12 83 6f 33 af 4b 42 71 5a d5 07 48 fd cd 07 31 d5 45 55 5e 37 2a d9 ad 39 75 b2 d8 7a 5a 20 67 70 b7 00 20 19 32 c7 6e 96 5b 08 40 f1 22 79 d1 01 53 5a d4 12 1a cd 03 d9 dc 2b c3 6d 60 0c b0 5c dc 1d 91 6a e7 a1 98 bd b6 45 1d 59 3d b8 4b 58 68 bb 41 0c 51 88 f9 2c 9d 1d 1d 62 e1 d5 dc 05 c1 59 13 d1 f6 21 40 76 97 3e 4b 60 87 ef f9 1c 06 a7 20 2a 2e 2b 29 5e db a6 22 92 6c 41 70 a8 86 0a b9 7c 36 ca e4 99 13 79 f3 72 4b 07 5b 5c cc 87 f0 18 1b c7 78 8b 68 2c 88 39 b4 fd 95 3e 85 98 a7 fe 32 4e e7 b4 46 a0 f0 bd 27 da 1b 8e c8 82 7d 27 fc 83 34 a8 63 cb be 7f 6d 31 c9 d7 66 1b 75 89 9d ef fb 75 3e c4 37 27 1e 39 13 fb 31 02 b0 5d bf 8f d9 0b 26 55 35 ea 6b 13 46 c5 3b ee ef df bb 74 80 a6 fd 85 09 d8 e4 1d ae 2a 6b 97 Data Ascii: zw_o3KBqZH1EU^79uzZ gp 2n[@"ySZ+m`\jEY=KXhAQ,bY!@v>K` .+)^"lAp\|6yrK[\xh,9>2NF'}'4cm1fuu>7'91]&U5kF;t*k
2024-10-31 13:32:37 UTC	16355	OUT	Data Raw: 6c b7 99 28 2e 6c 69 2f ee 3d 92 82 e2 20 13 ad 96 fb 86 c4 e2 53 45 38 42 b4 0a a1 18 c6 c7 7d dc 11 e4 dc b6 1b 72 10 37 fe 88 2c 1a b9 b2 8d 9a 87 47 79 a2 7d 5f 95 91 ac 93 7c 9f 5a e0 c6 91 a5 65 39 7c ef e3 22 71 95 14 9d 7a 39 b8 76 ea f4 bb 3a 20 fc 6f 6c b4 6e c3 7d 32 e7 6b 2e e5 0c f6 5e a6 31 ad 0b 44 70 4c 3f 5f 23 85 ae e2 8b 46 e9 94 e0 f1 a0 b8 43 db 8d ee e7 a0 a8 dd 8a ab 2f d9 92 1e 07 28 33 89 87 39 36 89 90 a2 3a 5d df 1f e7 2a 5b ec 67 a5 44 b1 bf fd b1 a1 ad b0 a7 fb ef c1 86 1e be 0e 79 c1 91 54 08 a8 fc 57 06 53 86 13 0e cd f7 6e 65 e8 88 c8 14 9e de 6c 93 77 be 9b da 02 dc da 12 67 ab 00 62 78 3f 00 46 c7 56 b9 a5 82 de 91 75 d9 91 e4 1e 9c 21 aa bf 85 e9 69 38 96 c1 14 84 c8 8f 7a b9 e1 ca ec 3e 77 1d 07 8a 48 ce ca 62 96 49 94 Data Ascii: l(.li/= SE8B}r7,Gy}_\|Ze9\|"qz9v: oln}2k.^1DpL?_#FC/(396:]*[gDyTWSnelwgbx?FVu!i8z>wHbI
2024-10-31 13:32:37 UTC	16355	OUT	Data Raw: 37 53 30 9f 5c 69 ad 41 00 49 eb 0d 58 10 da c0 af 72 8c dd 23 1f 62 35 b2 49 c4 c9 2d b9 f5 72 36 32 98 f7 d1 45 b9 6a e4 41 96 1b bf f4 88 da b9 61 17 13 37 8e 2a 82 b3 59 73 eb 18 eb 72 3f 01 86 2f 2e ea a1 fc 51 93 4f a1 6f 47 53 49 1e ac 6b 62 76 7f 5d a9 ad 2e b1 1a 3f a1 57 e4 4c 38 ba 06 8e 32 49 7b c8 0f 2a c9 16 67 de e6 32 7a 6b 8b bd 16 b0 40 35 56 18 b0 aa 1a 30 ad 0f 77 79 24 ef bb d1 30 4b 21 f0 e0 66 af 2c ba 6c a0 e6 51 8a aa 22 65 59 99 9c fc d2 f1 5e 3a f3 ab 97 87 30 30 dc 4f 33 e1 e5 e6 d5 23 5a 1f 56 f8 78 a3 04 23 cb 51 f0 8e 5a d3 17 25 93 a4 0e 0f 50 d3 42 17 5d aa be 57 54 91 04 5f b3 a1 f1 fb 59 86 30 f0 7e 0b 89 fe c5 ef 3e 42 c8 1b 86 fd dc 43 5f 38 bc 39 16 f1 06 ce ae e2 15 2c 26 ea 5b 98 f7 20 2e cc ac 37 5d 41 56 f5 91 63 Data Ascii: 7S0\iAIXr#b5I-r62EjAa7Ysr?/.QOoGSIkbv].?WL82I{g2zk@5V0wy$0K!f,lQ"eY^:00O3#ZVx#QZ%PB]WT_Y0~>BC_89,&[ .7]AVc
2024-10-31 13:32:37 UTC	16355	OUT	Data Raw: 84 bb 0a 75 a4 76 69 02 7c f8 89 ce c2 67 22 4f 65 1c d7 3c 4e e3 61 78 9a fe 5d 46 88 bb 31 58 77 21 3c e7 ed c6 3f 5f 73 10 db 72 25 d9 20 4f d2 a2 59 ac 4e 91 03 93 d4 ea 77 4f be 75 28 fd a5 16 bd bd 71 0d 59 af 31 97 fc e5 d2 9c 37 6f 99 2b b5 04 6e bd ad e0 b2 bd d3 3b 29 e9 cd 48 2c fe bc 4c b2 f9 90 f1 a8 15 c7 b5 80 f2 b4 f7 77 d9 76 6a 85 70 ff 22 e5 e4 8a 36 ec 59 3c 6d 17 a6 e2 ab 4d 64 fa 56 52 b3 6a e3 e1 e6 a0 99 18 f5 3d 33 96 d1 a6 11 ad a9 65 39 12 34 0e a4 74 67 59 9b 7b 97 9f ab e1 2b 48 5b ae 5d ca b7 56 6c d2 2e 5a 88 7c 2f bc 1c 90 4b d0 af 73 5c c2 20 e4 25 9e 32 5a 27 c2 22 57 1a 65 05 1e 6b 97 8a b8 e1 e4 64 12 a8 87 a7 94 f2 6f 4f 44 de 49 7a 36 13 22 7d 59 89 85 d3 c1 5d 7b 47 5a 9c 2c af 26 b0 dd 68 c5 59 8f 56 20 f4 1b ff d0 Data Ascii: uvi\|g"Oe<Nax]F1Xw!<?_sr% OYNwOu(qY17o+n;)H,Lwvjp"6Y<mMdVRj=3e94tgY{+H[]Vl.Z\|/Ks\ %2Z'"WekdoODIz6"}Y]{GZ,&hYV
2024-10-31 13:32:37 UTC	16355	OUT	Data Raw: b9 55 c6 ef 93 c3 0a 45 8a 36 19 21 f4 2b 25 ae 19 32 2a 64 3c e1 bc e8 4c f3 cc 9a 21 bf 83 6f d2 4f b0 27 31 e3 7c 74 30 e8 68 d6 da 86 70 a3 16 a8 6c d4 86 05 a8 33 f0 16 5c 7c 1f c2 f5 52 a1 1a 33 6e d8 71 87 c9 a7 5f aa ca e0 ee bb c7 50 4a 61 33 4b dd b5 a2 c4 f4 71 7c 96 1b 43 c9 47 50 7c 8c 43 55 03 a4 68 ac 26 80 47 7f 44 5b 00 7f ed a5 19 f1 af 26 f0 50 82 46 04 08 ec c8 3b 4e fc 55 ea 7e ad 8e 80 f8 dc a7 b9 5c 1b 4b e9 31 e3 f7 01 af d2 eb f5 4b 2b e9 2b a6 1c 4c 76 c9 6c a8 c1 92 31 62 44 2a a9 17 2a eb 72 b3 7c 9d 2f d8 45 77 01 24 1a 6f 92 8d bd d4 e4 69 61 03 21 b6 7c c4 bd 6a cf 3e f5 f6 76 55 f9 8c b0 1c 05 06 95 d5 0b b7 c3 b9 85 01 79 22 e9 99 b2 3e f9 66 51 fd 72 1e 07 3d 8e 6b af c7 28 d7 87 e4 a8 fc 59 53 54 db f8 da 83 3e 7e ca 4c Data Ascii: UE6!+%2d<L!oO'1\|t0hpl3\\|R3nq_PJa3Kq\|CGP\|CUh&GD[&PF;NU~\K1K++Lvl1bD*r\|/Ew$oia!\|j>vUy">fQr=k(YST>~L
2024-10-31 13:32:37 UTC	16355	OUT	Data Raw: bd 26 53 fc 86 6b c7 1d 68 9c 7e ac 33 9c 71 52 bf 76 d5 5a c5 df 8c 8d f3 11 56 a9 2a 46 5b bc 1e 23 cb 5b cf 64 d6 b6 18 67 b3 9a a4 12 e9 2e 82 53 27 77 a5 87 17 c8 fd 2c 81 91 9b 57 ba 51 82 db d6 13 07 77 b2 51 9d f9 e6 98 a2 a4 f1 08 85 c9 ee f4 78 77 ca f3 ee 2a 7b 22 a2 21 8b b2 54 be 73 90 8f 97 59 2d e2 05 eb c5 a5 df 10 0d 4b 60 8c 21 45 d1 56 1a 39 a0 c4 bf 30 a5 49 6c e8 73 a8 c3 eb 9f 59 80 03 2e 8f 08 87 f3 ef ed 31 67 4b 5b 8e 1a 3e 03 56 ff 43 d2 32 9b b1 9b c5 85 bd ba 05 d3 ef 5c e9 29 a7 71 30 09 28 cb e1 d8 04 0f 7d 9f fa c3 26 74 b8 a7 06 48 ee e1 11 92 38 62 e2 58 37 0f ce ea d6 51 91 18 cf 56 e1 2b 0d 0f 9d 2d 0d 2b 15 da c6 8c 72 38 62 2f 18 b7 28 c6 ca d8 c7 91 0b 7c a1 ca 3f 03 c1 28 19 45 e7 51 cd bb ae 76 5b 34 38 90 6e 95 99 Data Ascii: &Skh~3qRvZVF[#[dg.S'w,WQwQxw{"!TsY-K`!EV90IlsY.1gK[>VC2\)q0(}&tH8bX7QV+-+r8b/(\|?(EQv[48n
2024-10-31 13:32:37 UTC	16355	OUT	Data Raw: d8 0d 5e 57 1e 29 25 b4 fb 7b 5f 75 b1 5a 60 95 15 62 d6 62 4d 8f b1 8e 4c 30 ca 27 4f 96 ec c4 8b ff 74 fd fa 57 2d 86 d4 ef 4b 2d 35 50 9c 8f 39 24 2c fa ff c8 ab 5b a1 1a 78 28 17 aa 67 21 81 39 80 28 fb 26 df 4e 21 ff cc 0d ce 18 cc 56 12 e2 0d 49 38 eb 61 a1 4d f3 09 41 3e 1f 7c d7 64 c1 b6 8d fb 39 ab 43 67 e1 e8 11 3c 61 08 4b 94 92 44 22 fb c7 18 48 5a b0 f2 19 88 73 8a de 7d 61 67 01 de fb 8f d8 a8 84 73 fd 51 de 04 2b b0 a8 93 f0 4b 49 3a 3f ff 0f ca 83 c9 c7 f0 72 27 d0 90 aa da b7 d2 c4 dc cc 9e be cf f7 d4 c4 ee 64 b6 a4 8a e0 7c ba a1 45 f2 23 d1 74 79 3e e5 66 04 a3 e8 0d ec cb ee 4d 20 53 1d 81 c9 cb 2e 22 78 d3 4f 86 7d d2 4b 79 82 d1 fb 8b 3b 77 a1 bf ce ac 91 0c 87 e1 89 24 62 9c a2 6b 4c 2a d2 0b cf da ad d3 19 78 c8 52 98 e1 e6 0a 48 Data Ascii: ^W)%{_uZ`bbML0'OtW-K-5P9$,[x(g!9(&N!VI8aMA>\|d9Cg<aKD"HZs}agsQ+KI:?r'd\|E#ty>fM S."xO}Ky;w$bkL*xRH

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:32:38 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:32:38 UTC	8	OUT	Data Raw: 8d 6b 95 2f 10 03 00 00 Data Ascii: k/
2024-10-31 13:32:38 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:32:37 GMT Connection: close Content-Length: 24
2024-10-31 13:32:38 UTC	24	IN	Data Raw: 49 4d 6f 33 47 67 38 53 56 37 36 6d 46 5a 63 33 4a 62 78 2f 31 51 3d 3d Data Ascii: IMo3Gg8SV76mFZc3Jbx/1Q==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:32:41 UTC	326	OUT	POST /upload HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 697244 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:32:41 UTC	16355	OUT	Data Raw: 10 03 00 00 31 16 b5 04 90 a3 0a 00 e1 05 ef 78 8d 71 38 fc b4 07 e1 71 da a6 01 b1 b0 af a5 f0 9a ec ef 34 2a 00 5b 39 7f 3b 47 c4 e1 31 bd 21 da 44 da 0e 7a d4 b4 b6 75 99 e7 d6 fd d3 85 7a 05 0d dc 40 67 ad dc a7 05 46 18 64 52 d7 19 20 49 a6 8e 49 b7 5f 50 71 47 a7 86 18 1d aa fe 4e 12 0c f2 08 73 25 1f cb 35 5c 0c 1e a7 46 87 da 4b 05 73 b5 53 31 39 92 c0 b1 e0 f4 3b 7c 03 7c a1 f8 77 cd 44 2a 80 a5 56 ee 42 cf 73 c4 c5 88 ff 20 74 9b 5a 0f b1 4f d2 1f 52 c0 da ee e6 b9 5d 1b c2 ed ba 10 d8 fd ee ad db 7d 50 bc 78 1d 99 99 43 95 f4 64 77 55 65 ed 85 34 1d f5 ce 02 2e 61 ab 9e 73 da 24 b3 d7 28 bc ca e3 65 6d f6 38 6a a4 1f 61 29 d8 ac 49 f9 28 0c e8 45 04 63 8f 10 de 33 69 ec c7 71 70 72 51 7d 12 98 14 88 68 d0 62 02 2a 5c 67 78 34 b5 a2 d9 5a af 98 Data Ascii: 1xq8q4[9;G1!Dzuz@gFdR II_PqGNs%5\FKsS19;\|\|wDVBs tZOR]}PxCdwUe4.as$(em8ja)I(Ec3iqprQ}hb*\gx4Z
2024-10-31 13:32:41 UTC	16355	OUT	Data Raw: 6a 01 3a 7f 47 bb ba 4e 2a 2d 65 8e 93 67 76 dc c4 b6 73 11 54 d6 f5 fd 0c ea a4 1e 6f 6c 6e 6d e0 b6 22 f8 33 34 6e 7d 05 12 10 53 5b 8a d2 71 1e 23 9a eb 40 bd 24 fd 0f e5 0c 47 12 b0 7a 63 2a 7a d4 df 08 11 9c 73 ed 0e 00 1a 0d c9 cf f0 95 7c fb 96 e4 6a de bd 6c 10 fe 89 c5 4e a1 73 60 51 15 04 a8 e0 68 b8 5a 1f 54 5b 89 b0 6b db 33 e3 47 9a d7 55 45 fd 64 48 e6 0a 23 2a a9 7d f2 f7 56 b4 91 59 38 ab 67 40 1a d1 f9 53 68 e0 6e aa 4a 50 ee 25 d7 74 a6 de 70 a8 c7 ea dc 8f cc 91 5b 7f 67 76 84 30 00 a9 8f b5 b9 ec 04 29 b6 d1 92 7c c4 2d 38 ed 26 3a 3d 5f 66 95 9b aa f8 1c d2 1a a9 b1 07 91 d3 af b4 f2 1f a9 7c 37 e8 a7 c0 12 fa 95 b2 c8 e2 e9 e3 59 f2 b0 a6 fa 44 f6 43 be ed 53 f8 56 32 f6 c0 83 48 20 43 b8 2d d0 67 6e d2 63 af c2 cb d8 1f 1b d2 3f 7b Data Ascii: j:GN-egvsTolnm"34n}S[q#@$Gzczs\|jlNs`QhZT[k3GUEdH#*}VY8g@ShnJP%tp[gv0)\|-8&:=_f\|7YDCSV2H C-gnc?{
2024-10-31 13:32:41 UTC	16355	OUT	Data Raw: 5a 5a eb 47 b7 82 a2 f0 74 4f cd f5 85 7e 6b a1 14 a4 dd d4 ac 34 88 ee 93 55 3f 02 8e 19 03 45 4e 55 30 33 8f 95 d8 11 fa 64 68 da 10 b7 03 ce 79 b4 9e 35 0b 42 2a af 52 3a a8 68 40 1d 23 4a 5b d3 2d 48 b6 be 93 45 a7 f6 6a 83 7b 82 35 db b6 2f e2 cd a8 79 2d d3 ce 8a b1 be 64 20 24 6a 91 0c 44 d4 92 22 18 75 ea 7f ad 24 43 f2 71 3c 59 c2 b7 8a b3 14 4b af 0e c1 7f 38 7b 17 b2 7f 6c 96 28 d7 89 cb 90 d3 3e 42 71 52 d5 5f 88 32 5b 50 a5 c7 d3 b1 4c c8 49 44 b1 6f f3 25 0f 21 aa 22 35 e3 03 a6 2b db 49 15 e6 e9 ce 16 53 c0 fc 35 15 07 c2 a2 57 4c 35 38 4a c5 df aa 4e 0d 48 4b 38 6d d1 93 3a 38 26 49 29 c5 d0 4f 92 2a a8 24 c3 cc 0e 9c 2b 05 86 15 8d 67 98 9a 43 bb 06 a8 76 2b a8 fd 8c 51 b3 00 db d6 d9 fb bc 77 40 eb 02 36 69 36 43 1a 65 d7 97 f5 a2 53 8d Data Ascii: ZZGtO~k4U?ENU03dhy5BR:h@#J[-HEj{5/y-d $jD"u$Cq<YK8{l(>BqR_2[PLIDo%!"5+IS5WL58JNHK8m:8&I)O$+gCv+Qw@6i6CeS
2024-10-31 13:32:41 UTC	16355	OUT	Data Raw: b6 7a 94 77 91 f0 5f 1b 11 94 05 85 12 83 6f 33 af 4b 42 71 5a d5 07 48 fd cd 07 31 d5 45 55 5e 37 2a d9 ad 39 75 b2 d8 7a 5a 20 67 70 b7 00 20 19 32 c7 6e 96 5b 08 40 f1 22 79 d1 01 53 5a d4 12 1a cd 03 d9 dc 2b c3 6d 60 0c b0 5c dc 1d 91 6a e7 a1 98 bd b6 45 1d 59 3d b8 4b 58 68 bb 41 0c 51 88 f9 2c 9d 1d 1d 62 e1 d5 dc 05 c1 59 13 d1 f6 21 40 76 97 3e 4b 60 87 ef f9 1c 06 a7 20 2a 2e 2b 29 5e db a6 22 92 6c 41 70 a8 86 0a b9 7c 36 ca e4 99 13 79 f3 72 4b 07 5b 5c cc 87 f0 18 1b c7 78 8b 68 2c 88 39 b4 fd 95 3e 85 98 a7 fe 32 4e e7 b4 46 a0 f0 bd 27 da 1b 8e c8 82 7d 27 fc 83 34 a8 63 cb be 7f 6d 31 c9 d7 66 1b 75 89 9d ef fb 75 3e c4 37 27 1e 39 13 fb 31 02 b0 5d bf 8f d9 0b 26 55 35 ea 6b 13 46 c5 3b ee ef df bb 74 80 a6 fd 85 09 d8 e4 1d ae 2a 6b 97 Data Ascii: zw_o3KBqZH1EU^79uzZ gp 2n[@"ySZ+m`\jEY=KXhAQ,bY!@v>K` .+)^"lAp\|6yrK[\xh,9>2NF'}'4cm1fuu>7'91]&U5kF;t*k
2024-10-31 13:32:41 UTC	16355	OUT	Data Raw: 6c b7 99 28 2e 6c 69 2f ee 3d 92 82 e2 20 13 ad 96 fb 86 c4 e2 53 45 38 42 b4 0a a1 18 c6 c7 7d dc 11 e4 dc b6 1b 72 10 37 fe 88 2c 1a b9 b2 8d 9a 87 47 79 a2 7d 5f 95 91 ac 93 7c 9f 5a e0 c6 91 a5 65 39 7c ef e3 22 71 95 14 9d 7a 39 b8 76 ea f4 bb 3a 20 fc 6f 6c b4 6e c3 7d 32 e7 6b 2e e5 0c f6 5e a6 31 ad 0b 44 70 4c 3f 5f 23 85 ae e2 8b 46 e9 94 e0 f1 a0 b8 43 db 8d ee e7 a0 a8 dd 8a ab 2f d9 92 1e 07 28 33 89 87 39 36 89 90 a2 3a 5d df 1f e7 2a 5b ec 67 a5 44 b1 bf fd b1 a1 ad b0 a7 fb ef c1 86 1e be 0e 79 c1 91 54 08 a8 fc 57 06 53 86 13 0e cd f7 6e 65 e8 88 c8 14 9e de 6c 93 77 be 9b da 02 dc da 12 67 ab 00 62 78 3f 00 46 c7 56 b9 a5 82 de 91 75 d9 91 e4 1e 9c 21 aa bf 85 e9 69 38 96 c1 14 84 c8 8f 7a b9 e1 ca ec 3e 77 1d 07 8a 48 ce ca 62 96 49 94 Data Ascii: l(.li/= SE8B}r7,Gy}_\|Ze9\|"qz9v: oln}2k.^1DpL?_#FC/(396:]*[gDyTWSnelwgbx?FVu!i8z>wHbI
2024-10-31 13:32:41 UTC	16355	OUT	Data Raw: 37 53 30 9f 5c 69 ad 41 00 49 eb 0d 58 10 da c0 af 72 8c dd 23 1f 62 35 b2 49 c4 c9 2d b9 f5 72 36 32 98 f7 d1 45 b9 6a e4 41 96 1b bf f4 88 da b9 61 17 13 37 8e 2a 82 b3 59 73 eb 18 eb 72 3f 01 86 2f 2e ea a1 fc 51 93 4f a1 6f 47 53 49 1e ac 6b 62 76 7f 5d a9 ad 2e b1 1a 3f a1 57 e4 4c 38 ba 06 8e 32 49 7b c8 0f 2a c9 16 67 de e6 32 7a 6b 8b bd 16 b0 40 35 56 18 b0 aa 1a 30 ad 0f 77 79 24 ef bb d1 30 4b 21 f0 e0 66 af 2c ba 6c a0 e6 51 8a aa 22 65 59 99 9c fc d2 f1 5e 3a f3 ab 97 87 30 30 dc 4f 33 e1 e5 e6 d5 23 5a 1f 56 f8 78 a3 04 23 cb 51 f0 8e 5a d3 17 25 93 a4 0e 0f 50 d3 42 17 5d aa be 57 54 91 04 5f b3 a1 f1 fb 59 86 30 f0 7e 0b 89 fe c5 ef 3e 42 c8 1b 86 fd dc 43 5f 38 bc 39 16 f1 06 ce ae e2 15 2c 26 ea 5b 98 f7 20 2e cc ac 37 5d 41 56 f5 91 63 Data Ascii: 7S0\iAIXr#b5I-r62EjAa7Ysr?/.QOoGSIkbv].?WL82I{g2zk@5V0wy$0K!f,lQ"eY^:00O3#ZVx#QZ%PB]WT_Y0~>BC_89,&[ .7]AVc
2024-10-31 13:32:41 UTC	16355	OUT	Data Raw: 84 bb 0a 75 a4 76 69 02 7c f8 89 ce c2 67 22 4f 65 1c d7 3c 4e e3 61 78 9a fe 5d 46 88 bb 31 58 77 21 3c e7 ed c6 3f 5f 73 10 db 72 25 d9 20 4f d2 a2 59 ac 4e 91 03 93 d4 ea 77 4f be 75 28 fd a5 16 bd bd 71 0d 59 af 31 97 fc e5 d2 9c 37 6f 99 2b b5 04 6e bd ad e0 b2 bd d3 3b 29 e9 cd 48 2c fe bc 4c b2 f9 90 f1 a8 15 c7 b5 80 f2 b4 f7 77 d9 76 6a 85 70 ff 22 e5 e4 8a 36 ec 59 3c 6d 17 a6 e2 ab 4d 64 fa 56 52 b3 6a e3 e1 e6 a0 99 18 f5 3d 33 96 d1 a6 11 ad a9 65 39 12 34 0e a4 74 67 59 9b 7b 97 9f ab e1 2b 48 5b ae 5d ca b7 56 6c d2 2e 5a 88 7c 2f bc 1c 90 4b d0 af 73 5c c2 20 e4 25 9e 32 5a 27 c2 22 57 1a 65 05 1e 6b 97 8a b8 e1 e4 64 12 a8 87 a7 94 f2 6f 4f 44 de 49 7a 36 13 22 7d 59 89 85 d3 c1 5d 7b 47 5a 9c 2c af 26 b0 dd 68 c5 59 8f 56 20 f4 1b ff d0 Data Ascii: uvi\|g"Oe<Nax]F1Xw!<?_sr% OYNwOu(qY17o+n;)H,Lwvjp"6Y<mMdVRj=3e94tgY{+H[]Vl.Z\|/Ks\ %2Z'"WekdoODIz6"}Y]{GZ,&hYV
2024-10-31 13:32:41 UTC	16355	OUT	Data Raw: b9 55 c6 ef 93 c3 0a 45 8a 36 19 21 f4 2b 25 ae 19 32 2a 64 3c e1 bc e8 4c f3 cc 9a 21 bf 83 6f d2 4f b0 27 31 e3 7c 74 30 e8 68 d6 da 86 70 a3 16 a8 6c d4 86 05 a8 33 f0 16 5c 7c 1f c2 f5 52 a1 1a 33 6e d8 71 87 c9 a7 5f aa ca e0 ee bb c7 50 4a 61 33 4b dd b5 a2 c4 f4 71 7c 96 1b 43 c9 47 50 7c 8c 43 55 03 a4 68 ac 26 80 47 7f 44 5b 00 7f ed a5 19 f1 af 26 f0 50 82 46 04 08 ec c8 3b 4e fc 55 ea 7e ad 8e 80 f8 dc a7 b9 5c 1b 4b e9 31 e3 f7 01 af d2 eb f5 4b 2b e9 2b a6 1c 4c 76 c9 6c a8 c1 92 31 62 44 2a a9 17 2a eb 72 b3 7c 9d 2f d8 45 77 01 24 1a 6f 92 8d bd d4 e4 69 61 03 21 b6 7c c4 bd 6a cf 3e f5 f6 76 55 f9 8c b0 1c 05 06 95 d5 0b b7 c3 b9 85 01 79 22 e9 99 b2 3e f9 66 51 fd 72 1e 07 3d 8e 6b af c7 28 d7 87 e4 a8 fc 59 53 54 db f8 da 83 3e 7e ca 4c Data Ascii: UE6!+%2d<L!oO'1\|t0hpl3\\|R3nq_PJa3Kq\|CGP\|CUh&GD[&PF;NU~\K1K++Lvl1bD*r\|/Ew$oia!\|j>vUy">fQr=k(YST>~L
2024-10-31 13:32:41 UTC	16355	OUT	Data Raw: bd 26 53 fc 86 6b c7 1d 68 9c 7e ac 33 9c 71 52 bf 76 d5 5a c5 df 8c 8d f3 11 56 a9 2a 46 5b bc 1e 23 cb 5b cf 64 d6 b6 18 67 b3 9a a4 12 e9 2e 82 53 27 77 a5 87 17 c8 fd 2c 81 91 9b 57 ba 51 82 db d6 13 07 77 b2 51 9d f9 e6 98 a2 a4 f1 08 85 c9 ee f4 78 77 ca f3 ee 2a 7b 22 a2 21 8b b2 54 be 73 90 8f 97 59 2d e2 05 eb c5 a5 df 10 0d 4b 60 8c 21 45 d1 56 1a 39 a0 c4 bf 30 a5 49 6c e8 73 a8 c3 eb 9f 59 80 03 2e 8f 08 87 f3 ef ed 31 67 4b 5b 8e 1a 3e 03 56 ff 43 d2 32 9b b1 9b c5 85 bd ba 05 d3 ef 5c e9 29 a7 71 30 09 28 cb e1 d8 04 0f 7d 9f fa c3 26 74 b8 a7 06 48 ee e1 11 92 38 62 e2 58 37 0f ce ea d6 51 91 18 cf 56 e1 2b 0d 0f 9d 2d 0d 2b 15 da c6 8c 72 38 62 2f 18 b7 28 c6 ca d8 c7 91 0b 7c a1 ca 3f 03 c1 28 19 45 e7 51 cd bb ae 76 5b 34 38 90 6e 95 99 Data Ascii: &Skh~3qRvZVF[#[dg.S'w,WQwQxw{"!TsY-K`!EV90IlsY.1gK[>VC2\)q0(}&tH8bX7QV+-+r8b/(\|?(EQv[48n
2024-10-31 13:32:41 UTC	16355	OUT	Data Raw: d8 0d 5e 57 1e 29 25 b4 fb 7b 5f 75 b1 5a 60 95 15 62 d6 62 4d 8f b1 8e 4c 30 ca 27 4f 96 ec c4 8b ff 74 fd fa 57 2d 86 d4 ef 4b 2d 35 50 9c 8f 39 24 2c fa ff c8 ab 5b a1 1a 78 28 17 aa 67 21 81 39 80 28 fb 26 df 4e 21 ff cc 0d ce 18 cc 56 12 e2 0d 49 38 eb 61 a1 4d f3 09 41 3e 1f 7c d7 64 c1 b6 8d fb 39 ab 43 67 e1 e8 11 3c 61 08 4b 94 92 44 22 fb c7 18 48 5a b0 f2 19 88 73 8a de 7d 61 67 01 de fb 8f d8 a8 84 73 fd 51 de 04 2b b0 a8 93 f0 4b 49 3a 3f ff 0f ca 83 c9 c7 f0 72 27 d0 90 aa da b7 d2 c4 dc cc 9e be cf f7 d4 c4 ee 64 b6 a4 8a e0 7c ba a1 45 f2 23 d1 74 79 3e e5 66 04 a3 e8 0d ec cb ee 4d 20 53 1d 81 c9 cb 2e 22 78 d3 4f 86 7d d2 4b 79 82 d1 fb 8b 3b 77 a1 bf ce ac 91 0c 87 e1 89 24 62 9c a2 6b 4c 2a d2 0b cf da ad d3 19 78 c8 52 98 e1 e6 0a 48 Data Ascii: ^W)%{_uZ`bbML0'OtW-K-5P9$,[x(g!9(&N!VI8aMA>\|d9Cg<aKD"HZs}agsQ+KI:?r'd\|E#ty>fM S."xO}Ky;w$bkL*xRH
2024-10-31 13:32:42 UTC	162	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:32:41 GMT Connection: close Content-Length: 7

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:32:47 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:32:47 UTC	8	OUT	Data Raw: 8d 6b 95 2f 10 03 00 00 Data Ascii: k/
2024-10-31 13:32:47 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:32:47 GMT Connection: close Content-Length: 24
2024-10-31 13:32:47 UTC	24	IN	Data Raw: 2f 54 42 47 35 76 7a 68 35 72 37 59 37 48 71 75 4e 56 4c 4c 30 67 3d 3d Data Ascii: /TBG5vzh5r7Y7HquNVLL0g==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:32:53 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:32:53 UTC	8	OUT	Data Raw: 8d 6b 95 2f 10 03 00 00 Data Ascii: k/
2024-10-31 13:32:54 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:32:54 GMT Connection: close Content-Length: 24
2024-10-31 13:32:54 UTC	24	IN	Data Raw: 2f 54 42 47 35 76 7a 68 35 72 37 59 37 48 71 75 4e 56 4c 4c 30 67 3d 3d Data Ascii: /TBG5vzh5r7Y7HquNVLL0g==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:32:58 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:32:58 UTC	8	OUT	Data Raw: 8d 6b 95 2f 10 03 00 00 Data Ascii: k/
2024-10-31 13:32:59 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:32:59 GMT Connection: close Content-Length: 24
2024-10-31 13:32:59 UTC	24	IN	Data Raw: 2f 54 42 47 35 76 7a 68 35 72 37 59 37 48 71 75 4e 56 4c 4c 30 67 3d 3d Data Ascii: /TBG5vzh5r7Y7HquNVLL0g==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:33:03 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:33:03 UTC	8	OUT	Data Raw: 8d 6b 95 2f 10 03 00 00 Data Ascii: k/
2024-10-31 13:33:04 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:33:03 GMT Connection: close Content-Length: 24
2024-10-31 13:33:04 UTC	24	IN	Data Raw: 2f 54 42 47 35 76 7a 68 35 72 37 59 37 48 71 75 4e 56 4c 4c 30 67 3d 3d Data Ascii: /TBG5vzh5r7Y7HquNVLL0g==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:33:10 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:33:10 UTC	8	OUT	Data Raw: 8d 6b 95 2f 10 03 00 00 Data Ascii: k/
2024-10-31 13:33:10 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:33:10 GMT Connection: close Content-Length: 24
2024-10-31 13:33:10 UTC	24	IN	Data Raw: 2f 54 42 47 35 76 7a 68 35 72 37 59 37 48 71 75 4e 56 4c 4c 30 67 3d 3d Data Ascii: /TBG5vzh5r7Y7HquNVLL0g==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:33:15 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:33:15 UTC	8	OUT	Data Raw: 8d 6b 95 2f 10 03 00 00 Data Ascii: k/
2024-10-31 13:33:16 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:33:15 GMT Connection: close Content-Length: 24
2024-10-31 13:33:16 UTC	24	IN	Data Raw: 2f 54 42 47 35 76 7a 68 35 72 37 59 37 48 71 75 4e 56 4c 4c 30 67 3d 3d Data Ascii: /TBG5vzh5r7Y7HquNVLL0g==

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report U6ghPv3E7k.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{92095A5E-978C-11EF-8C2C-ECF4BB570DC9}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{92095A60-978C-11EF-8C2C-ECF4BB570DC9}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\m1niz3t\imagestore.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\uploadfcba94a8[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\favicon[1].ico

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\registerbb130302[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\registerbb130302[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\favicon[1].ico

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\register[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\registerbb130302[1].htm

C:\Users\user\AppData\Local\Temp\~DF3233F130AB51BE21.TMP

C:\Users\user\AppData\Local\Temp\~DF4C4ABBEFBEE1C868.TMP

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms~RF510d0.TMP (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M925D3GEDGLRFZX1LVWS.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SB4AAY81SXRWD1OOVZ5Z.temp

\Device\ConDrv

Windows Analysis Report
U6ghPv3E7k.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:33:20 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:33:20 UTC	8	OUT	Data Raw: 8d 6b 95 2f 10 03 00 00 Data Ascii: k/
2024-10-31 13:33:20 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:33:20 GMT Connection: close Content-Length: 24
2024-10-31 13:33:20 UTC	24	IN	Data Raw: 2f 54 42 47 35 76 7a 68 35 72 37 59 37 48 71 75 4e 56 4c 4c 30 67 3d 3d Data Ascii: /TBG5vzh5r7Y7HquNVLL0g==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:33:27 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:33:27 UTC	8	OUT	Data Raw: 8d 6b 95 2f 10 03 00 00 Data Ascii: k/
2024-10-31 13:33:27 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:33:27 GMT Connection: close Content-Length: 24
2024-10-31 13:33:27 UTC	24	IN	Data Raw: 2f 54 42 47 35 76 7a 68 35 72 37 59 37 48 71 75 4e 56 4c 4c 30 67 3d 3d Data Ascii: /TBG5vzh5r7Y7HquNVLL0g==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:33:33 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:33:33 UTC	8	OUT	Data Raw: 8d 6b 95 2f 10 03 00 00 Data Ascii: k/
2024-10-31 13:33:34 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:33:33 GMT Connection: close Content-Length: 24
2024-10-31 13:33:34 UTC	24	IN	Data Raw: 2f 54 42 47 35 76 7a 68 35 72 37 59 37 48 71 75 4e 56 4c 4c 30 67 3d 3d Data Ascii: /TBG5vzh5r7Y7HquNVLL0g==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:33:39 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:33:39 UTC	8	OUT	Data Raw: 8d 6b 95 2f 10 03 00 00 Data Ascii: k/
2024-10-31 13:33:39 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:33:38 GMT Connection: close Content-Length: 24
2024-10-31 13:33:39 UTC	24	IN	Data Raw: 2f 54 42 47 35 76 7a 68 35 72 37 59 37 48 71 75 4e 56 4c 4c 30 67 3d 3d Data Ascii: /TBG5vzh5r7Y7HquNVLL0g==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:33:44 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:33:44 UTC	8	OUT	Data Raw: 8d 6b 95 2f 10 03 00 00 Data Ascii: k/
2024-10-31 13:33:44 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:33:44 GMT Connection: close Content-Length: 24
2024-10-31 13:33:44 UTC	24	IN	Data Raw: 2f 54 42 47 35 76 7a 68 35 72 37 59 37 48 71 75 4e 56 4c 4c 30 67 3d 3d Data Ascii: /TBG5vzh5r7Y7HquNVLL0g==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:33:49 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:33:49 UTC	8	OUT	Data Raw: 8d 6b 95 2f 10 03 00 00 Data Ascii: k/
2024-10-31 13:33:50 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:33:50 GMT Connection: close Content-Length: 24
2024-10-31 13:33:50 UTC	24	IN	Data Raw: 2f 54 42 47 35 76 7a 68 35 72 37 59 37 48 71 75 4e 56 4c 4c 30 67 3d 3d Data Ascii: /TBG5vzh5r7Y7HquNVLL0g==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:33:54 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:33:54 UTC	8	OUT	Data Raw: 8d 6b 95 2f 10 03 00 00 Data Ascii: k/
2024-10-31 13:33:54 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:33:54 GMT Connection: close Content-Length: 24
2024-10-31 13:33:54 UTC	24	IN	Data Raw: 2f 54 42 47 35 76 7a 68 35 72 37 59 37 48 71 75 4e 56 4c 4c 30 67 3d 3d Data Ascii: /TBG5vzh5r7Y7HquNVLL0g==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:33:59 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:33:59 UTC	8	OUT	Data Raw: 8d 6b 95 2f 10 03 00 00 Data Ascii: k/
2024-10-31 13:33:59 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:33:59 GMT Connection: close Content-Length: 24
2024-10-31 13:33:59 UTC	24	IN	Data Raw: 2f 54 42 47 35 76 7a 68 35 72 37 59 37 48 71 75 4e 56 4c 4c 30 67 3d 3d Data Ascii: /TBG5vzh5r7Y7HquNVLL0g==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:34:04 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:34:04 UTC	8	OUT	Data Raw: 8d 6b 95 2f 10 03 00 00 Data Ascii: k/
2024-10-31 13:34:04 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:34:04 GMT Connection: close Content-Length: 24
2024-10-31 13:34:04 UTC	24	IN	Data Raw: 2f 54 42 47 35 76 7a 68 35 72 37 59 37 48 71 75 4e 56 4c 4c 30 67 3d 3d Data Ascii: /TBG5vzh5r7Y7HquNVLL0g==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:34:09 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:34:09 UTC	8	OUT	Data Raw: 8d 6b 95 2f 10 03 00 00 Data Ascii: k/
2024-10-31 13:34:09 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:34:08 GMT Connection: close Content-Length: 24
2024-10-31 13:34:09 UTC	24	IN	Data Raw: 2f 54 42 47 35 76 7a 68 35 72 37 59 37 48 71 75 4e 56 4c 4c 30 67 3d 3d Data Ascii: /TBG5vzh5r7Y7HquNVLL0g==