Edit tour

Windows Analysis Report
RafaelConnect.exe

Overview

General Information

Sample name:	RafaelConnect.exe
Analysis ID:	1546124
MD5:	7f4cc7b5c70bf16dabbed8fa5a6fa843
SHA1:	4c6df55517407dd0b8b1826368855e737ac36809
SHA256:	dd62b33333cd1aab1345cdab28d7bcba0f8be11f79a76eb0c3674d3d0677282c
Tags:	exevacationtogotravels-netuser-JAMESWT_MHT
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

.NET source code contains very large array initializations

Drops executables to the windows directory (C:\Windows) and starts them

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Use Short Name Path in Command Line

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

RafaelConnect.exe (PID: 3992 cmdline: "C:\Users\user\Desktop\RafaelConnect.exe" MD5: 7F4CC7B5C70BF16DABBED8FA5A6FA843)

MsDef.exe (PID: 6596 cmdline: "C:\Windows\twain_32\MsDef.exe" MD5: 00BA1E1D154E18D1124D87934FAE9F20)

conhost.exe (PID: 3940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

iexplore.exe (PID: 3152 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding MD5: CFE2E6942AC1B72981B3105E22D3224E)

iexplore.exe (PID: 3532 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3152 CREDAT:17410 /prefetch:2 MD5: 6F0F06D6AB125A99E43335427066A4A1)

ssvagent.exe (PID: 1492 cmdline: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new MD5: F9A898A606E7F5A1CD7CFFA8079253A0)

cleanup

Sigma Signatures

System Summary

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, CommandLine: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, CommandLine|base64offset|contains: w, Image: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, NewProcessName: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, OriginalFileName: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, ParentCommandLine: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3152 CREDAT:17410 /prefetch:2, ParentImage: C:\Program Files (x86)\Internet Explorer\iexplore.exe, ParentProcessId: 3532, ParentProcessName: iexplore.exe, ProcessCommandLine: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, ProcessId: 1492, ProcessName: ssvagent.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Program Files\Internet Explorer\iexplore.exe, ProcessId: 3152, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T14:26:22.093499+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.6	49769	TCP
2024-10-31T14:27:00.070126+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.6	49990	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:49909 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:49944 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:49973 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50001 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50006 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50008 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50009 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50011 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50013 version: TLS 1.2

Source: RafaelConnect.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\ASUS\Desktop\persiste explorer.exe\Raf_ui\Raf_ui\obj\x64\Release\RafaelConnect.pdb source: RafaelConnect.exe

Source: Joe Sandbox View

JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:49769
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:49990

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vacationtogotravels.netConnection: Keep-Alive

Source: msapplication.xml1.6.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7706a4b0,0x01db2b98</date><accdate>0x7706a4b0,0x01db2b98</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml6.6.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x77102e95,0x01db2b98</date><accdate>0x77102e95,0x01db2b98</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml8.6.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x771290ae,0x01db2b98</date><accdate>0x7714f2e6,0x01db2b98</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: global traffic

DNS traffic detected: DNS query: vacationtogotravels.net

Source: unknown

HTTP traffic detected: POST /register HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-CHUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: vacationtogotravels.netContent-Length: 8Connection: Keep-AliveCache-Control: no-cache

Source: RafaelConnect.exe	String found in binary or memory: http://rafaelconnect.com/form?token=QWEASDMCVNNASOASDASDBQUVBCCASDBASBDYQWUQVVVVCBNHFTRYUWJJNINQN123
Source: msapplication.xml.6.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml2.6.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml3.6.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml4.6.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml5.6.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml6.6.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml7.6.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml8.6.dr	String found in binary or memory: http://www.youtube.com/
Source: RafaelConnect.exe, 00000000.00000002.3393916119.00000000144D1000.00000004.00000800.00020000.00000000.sdmp, MsDef.exe, 00000002.00000000.2146685120.00007FF722592000.00000002.00000001.01000000.00000006.sdmp, MsDef.exe.0.dr	String found in binary or memory: https://vacationtogotravels.net
Source: imagestore.dat.8.dr	String found in binary or memory: https://vacationtogotravels.net/favicon.ico~
Source: {AE989862-978B-11EF-8C2D-ECF4BB2D2496}.dat.6.dr	String found in binary or memory: https://vacationtogotravels.net/registels.net/register
Source: {AE989862-978B-11EF-8C2D-ECF4BB2D2496}.dat.6.dr	String found in binary or memory: https://vacationtogotravels.net/register
Source: ~DF863B075946964495.TMP.6.dr	String found in binary or memory: https://vacationtogotravels.net/register(
Source: {AE989862-978B-11EF-8C2D-ECF4BB2D2496}.dat.6.dr	String found in binary or memory: https://vacationtogotravels.net/registerPhttp
Source: {AE989862-978B-11EF-8C2D-ECF4BB2D2496}.dat.6.dr	String found in binary or memory: https://vacationtogotravels.net/registerPhttpels.net/register
Source: {AE989862-978B-11EF-8C2D-ECF4BB2D2496}.dat.6.dr	String found in binary or memory: https://vacationtogotravels.net/registerPhttps://vacationtogotravels.net/regi
Source: {AE989862-978B-11EF-8C2D-ECF4BB2D2496}.dat.6.dr	String found in binary or memory: https://vacationtogotravels.net/registerPhttps://vacationtogotravels.net/regiTL17
Source: {AE989862-978B-11EF-8C2D-ECF4BB2D2496}.dat.6.dr	String found in binary or memory: https://vacationtogotravels.net/registerPhttps://vacationtogotravels.net/regiels.net/register
Source: {AE989862-978B-11EF-8C2D-ECF4BB2D2496}.dat.6.dr	String found in binary or memory: https://vacationtogotravels.net/registerPhttps://vacationtogotravels.net/regier
Source: {AE989862-978B-11EF-8C2D-ECF4BB2D2496}.dat.6.dr	String found in binary or memory: https://vacationtogotravels.net/registerPhttps://vacationtogotravels.net/register
Source: {AE989862-978B-11EF-8C2D-ECF4BB2D2496}.dat.6.dr	String found in binary or memory: https://vacationtogotravels.net/registerPhttpster
Source: MsDef.exe, 00000002.00000003.2236255150.000002A4251AF000.00000004.00000020.00020000.00000000.sdmp, MsDef.exe, 00000002.00000003.2231412809.000002A4251AD000.00000004.00000020.00020000.00000000.sdmp, MsDef.exe, 00000002.00000003.2238786161.000002A4251AB000.00000004.00000020.00020000.00000000.sdmp, MsDef.exe, 00000002.00000003.2235466771.000002A4251AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vacationtogotravels.net/upload
Source: MsDef.exe, 00000002.00000003.2244780322.000002A425199000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vacationtogotravels.net/uploadr

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944

Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:49909 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:49944 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:49973 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50001 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50006 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50008 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50009 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50011 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.6:50013 version: TLS 1.2

System Summary

.NET source code contains very large array initializations

Source: RafaelConnect.exe, Program.cs	Large array initialization: Main: array initializer size 576000
Source: RafaelConnect.exe, Program.cs	Large array initialization: Main: array initializer size 10240

Source: C:\Users\user\Desktop\RafaelConnect.exe	File created: C:\Windows\twain_32\MsDef.exe			Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	File created: C:\Windows\cscapi.dll			Jump to behavior

Source: RafaelConnect.exe

Static PE information: No import functions for PE file found

Source: classification engine

Classification label: mal48.evad.winEXE@9/27@1/1

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery

Jump to behavior

Source: C:\Users\user\Desktop\RafaelConnect.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3940:120:WilError_03

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF74CDFB90435CCD30.TMP

Jump to behavior

Source: RafaelConnect.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: RafaelConnect.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\RafaelConnect.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RafaelConnect.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RafaelConnect.exe "C:\Users\user\Desktop\RafaelConnect.exe"
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process created: C:\Windows\twain_32\MsDef.exe "C:\Windows\twain_32\MsDef.exe"
Source: C:\Windows\twain_32\MsDef.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3152 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process created: C:\Windows\twain_32\MsDef.exe "C:\Windows\twain_32\MsDef.exe"	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3152 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new	Jump to behavior

Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\twain_32\MsDef.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\twain_32\MsDef.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\twain_32\MsDef.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\twain_32\MsDef.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\twain_32\MsDef.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\twain_32\MsDef.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\RafaelConnect.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\RafaelConnect.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: RafaelConnect.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RafaelConnect.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: RafaelConnect.exe

Static file information: File size 1257472 > 1048576

Source: RafaelConnect.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: RafaelConnect.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\ASUS\Desktop\persiste explorer.exe\Raf_ui\Raf_ui\obj\x64\Release\RafaelConnect.pdb source: RafaelConnect.exe

Source: RafaelConnect.exe

Static PE information: 0x801FD091 [Fri Feb 12 06:24:17 2038 UTC]

Source: MsDef.exe.0.dr	Static PE information: section name: .msvcjmc
Source: MsDef.exe.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\RafaelConnect.exe	Code function: 0_2_00007FFD346800BD pushad ; iretd	0_2_00007FFD346800C1
Source: C:\Users\user\Desktop\RafaelConnect.exe	Code function: 0_2_00007FFD3468309D pushad ; retf	0_2_00007FFD346830AD
Source: C:\Users\user\Desktop\RafaelConnect.exe	Code function: 0_2_00007FFD34680FE5 pushad ; iretd	0_2_00007FFD34680FFD

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\RafaelConnect.exe

Executable created and started: C:\Windows\twain_32\MsDef.exe

Jump to behavior

Source: C:\Users\user\Desktop\RafaelConnect.exe	File created: C:\Windows\twain_32\MsDef.exe			Jump to dropped file
Source: C:\Users\user\Desktop\RafaelConnect.exe	File created: C:\Windows\cscapi.dll			Jump to dropped file

Source: C:\Users\user\Desktop\RafaelConnect.exe	File created: C:\Windows\twain_32\MsDef.exe			Jump to dropped file
Source: C:\Users\user\Desktop\RafaelConnect.exe	File created: C:\Windows\cscapi.dll			Jump to dropped file

Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\RafaelConnect.exe	Memory allocated: 1890000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Memory allocated: 1C4C0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\RafaelConnect.exe

Dropped PE file which has not been started: C:\Windows\cscapi.dll

Jump to dropped file

Source: C:\Windows\twain_32\MsDef.exe TID: 2188

Thread sleep time: -85000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\RafaelConnect.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\RafaelConnect.exe

Process created: C:\Windows\twain_32\MsDef.exe "C:\Windows\twain_32\MsDef.exe"

Jump to behavior

Source: C:\Users\user\Desktop\RafaelConnect.exe	Queries volume information: C:\Users\user\Desktop\RafaelConnect.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\RafaelConnect.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\RafaelConnect.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	121 Masquerading	OS Credential Dumping	2 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RafaelConnect.exe	5%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\cscapi.dll	0%	ReversingLabs
C:\Windows\twain_32\MsDef.exe	3%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
vacationtogotravels.net	89.221.225.227	true	false		unknown
windowsupdatebg.s.llnwi.net	87.248.204.0	true	false		unknown

Contacted URLs

Name	Malicious	Reputation
https://vacationtogotravels.net/register	false	unknown
https://vacationtogotravels.net/upload	false	unknown
https://vacationtogotravels.net/favicon.ico	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://vacationtogotravels.net/favicon.ico~	imagestore.dat.8.dr	false	unknown
http://www.nytimes.com/	msapplication.xml4.6.dr	false	unknown
http://rafaelconnect.com/form?token=QWEASDMCVNNASOASDASDBQUVBCCASDBASBDYQWUQVVVVCBNHFTRYUWJJNINQN123	RafaelConnect.exe	false	unknown
https://vacationtogotravels.net/registerPhttp	{AE989862-978B-11EF-8C2D-ECF4BB2D2496}.dat.6.dr	false	unknown
https://vacationtogotravels.net	RafaelConnect.exe, 00000000.00000002.3393916119.00000000144D1000.00000004.00000800.00020000.00000000.sdmp, MsDef.exe, 00000002.00000000.2146685120.00007FF722592000.00000002.00000001.01000000.00000006.sdmp, MsDef.exe.0.dr	false	unknown
https://vacationtogotravels.net/registerPhttps://vacationtogotravels.net/regiels.net/register	{AE989862-978B-11EF-8C2D-ECF4BB2D2496}.dat.6.dr	false	unknown
https://vacationtogotravels.net/registerPhttpster	{AE989862-978B-11EF-8C2D-ECF4BB2D2496}.dat.6.dr	false	unknown
http://www.amazon.com/	msapplication.xml.6.dr	false	unknown
https://vacationtogotravels.net/uploadr	MsDef.exe, 00000002.00000003.2244780322.000002A425199000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.twitter.com/	msapplication.xml6.6.dr	false	unknown
https://vacationtogotravels.net/registels.net/register	{AE989862-978B-11EF-8C2D-ECF4BB2D2496}.dat.6.dr	false	unknown
https://vacationtogotravels.net/registerPhttps://vacationtogotravels.net/regier	{AE989862-978B-11EF-8C2D-ECF4BB2D2496}.dat.6.dr	false	unknown
https://vacationtogotravels.net/registerPhttps://vacationtogotravels.net/regi	{AE989862-978B-11EF-8C2D-ECF4BB2D2496}.dat.6.dr	false	unknown
http://www.youtube.com/	msapplication.xml8.6.dr	false	unknown
https://vacationtogotravels.net/register(	~DF863B075946964495.TMP.6.dr	false	unknown
http://www.wikipedia.com/	msapplication.xml7.6.dr	false	unknown
https://vacationtogotravels.net/registerPhttps://vacationtogotravels.net/register	{AE989862-978B-11EF-8C2D-ECF4BB2D2496}.dat.6.dr	false	unknown
https://vacationtogotravels.net/registerPhttps://vacationtogotravels.net/regiTL17	{AE989862-978B-11EF-8C2D-ECF4BB2D2496}.dat.6.dr	false	unknown
http://www.live.com/	msapplication.xml3.6.dr	false	unknown
http://www.reddit.com/	msapplication.xml5.6.dr	false	unknown
https://vacationtogotravels.net/registerPhttpels.net/register	{AE989862-978B-11EF-8C2D-ECF4BB2D2496}.dat.6.dr	false	unknown
http://www.google.com/	msapplication.xml2.6.dr	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
89.221.225.227	vacationtogotravels.net	Russian Federation		41691	SUMTEL-AS-RIPEMoscowRussiaRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546124
Start date and time:	2024-10-31 14:25:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RafaelConnect.exe
Detection:	MAL
Classification:	mal48.evad.winEXE@9/27@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 9 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, ielowutil.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.89.167, 2.23.209.177, 2.23.209.157, 2.23.209.169, 2.23.209.162, 2.23.209.167, 2.23.209.173, 2.23.209.160, 2.23.209.176, 2.23.209.168, 204.79.197.200, 93.184.221.240, 2.16.100.168, 88.221.110.91
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, a767.dspw65.akamai.net, wu.azureedge.net, e11290.dspg.akamaiedge.net, go.microsoft.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ieonline.microsoft.com, wu-b-net.trafficmanager.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, any.edge.bing.com, go.microsoft.com.edgekey.net
Execution Graph export aborted for target RafaelConnect.exe, PID 3992 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: RafaelConnect.exe

Simulations

Behavior and APIs

Time	Type	Description
09:26:06	API Interceptor	1x Sleep call for process: MsDef.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
windowsupdatebg.s.llnwi.net	https://www.guidedtrack.com/programs/n5snx1a/run	Get hash	malicious	Unknown	Browse	87.248.205.0
	https://workdrive.zohoexternal.com/file/d3qaw4673940b54374623b165953068c580b5	Get hash	malicious	HTMLPhisher	Browse	87.248.205.0
	https://dzentec-my.sharepoint.com/:u:/g/personal/i_lahmer_entec-dz_com/EdYp5IxQ-uxJivnPAqSzv40BZiCX7sphz7Kj8JDyRBKqpQ?e=wqutC4&xsdata=MDV8MDJ8c2NvdHRkaWF6QGRlbWVpbmVlc3RhdGVzLmNvbXw2YjUyZTY2NWViYzI0M2MxZGE1NjA4ZGNmNzI0NDEwY3xkMTRiYThjYzk2NDI0NzNhYTE0ZWY3NzIxODgzMzJmZXwwfDB8NjM4NjU2OTgyMzMwNDY2MDIzfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wPXwwfHx8&sdata=ZnFidXdudm9CbXlMY3MxYTAxVjk3N2plVFdSTHZ5MVlZOGdkRkRZNEUxYz0%3d	Get hash	malicious	Unknown	Browse	178.79.208.1
	https://gofile.io/d/IAr464	Get hash	malicious	Unknown	Browse	87.248.205.0
	z1RECONFIRMPAYMENTINVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	41.63.96.0
	Reminder.exe	Get hash	malicious	Amadey	Browse	87.248.202.1
	https://www.google.co.uk/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/taxigiarebienhoa.vn/nini/ybmex/captcha/Z3VsYW1yYXN1bC5jaGVwdXdhbGFAY2V2YWxvZ2lzdGljcy5jb20	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	87.248.204.0
	https://www.amazon.com/gp/f.html?C=23J4QFP74FONO&M=urn:rtn:msg:20241025141131e9a815878e9d4465817166f46870p0na&R=1M7L2I94B4ZIJ&T=C&U=https%3A%2F%2Fegift.activationspot.com%2F%3Ftid%3DYK1PHH1DX97D1S1Z9HQR847P7C%26gw%3Dn%26gs%3Dn%26gcm%3Dn%26eid%3D6JYG3M7PQWB0V0CKWHZL19MZFR&H=ZCJSSIIYIVFZPUKZ30QWV8HWJDKA	Get hash	malicious	Unknown	Browse	87.248.202.1
	U01wqIX537.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.79.238.128
	https://chapelet-mariae.com.pl/qgxPm/	Get hash	malicious	HTMLPhisher	Browse	178.79.238.128

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SUMTEL-AS-RIPEMoscowRussiaRU	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	109.172.94.66
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	109.172.94.66
	sh4.elf	Get hash	malicious	Unknown	Browse	87.117.138.145
	yakuza.i686.elf	Get hash	malicious	Unknown	Browse	178.130.55.72
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	109.172.60.44
	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	109.172.88.38
	antispam_connect1.exe	Get hash	malicious	GO Backdoor	Browse	109.172.88.38
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	89.221.206.246
	wa_3rd_party_host_32.exe	Get hash	malicious	GO Backdoor	Browse	109.172.88.38
	uyTCVR3mBl.elf	Get hash	malicious	Unknown	Browse	89.221.225.163

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
6271f898ce5be7dd52b0fc260d0662b3	https://saniest.com/PO/PO%20-%20OCT.'24673937.rar	Get hash	malicious	Unknown	Browse	89.221.225.227
	Paiement.eml	Get hash	malicious	HTMLPhisher	Browse	89.221.225.227
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	89.221.225.227
	http://wesiakkaernten.fibery.io/@public/forms/gBNXdAWE	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	89.221.225.227
	PO-004976.xls	Get hash	malicious	Unknown	Browse	89.221.225.227
	NUEVA ORDEN DE COMPRA 73244.xla.xlsx	Get hash	malicious	Unknown	Browse	89.221.225.227
	-Payout Salary Benefits.zip	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	89.221.225.227
	https://forthedoglover.com/Ray-verify.html	Get hash	malicious	Unknown	Browse	89.221.225.227
	FW Complete with Docusign Remittance Advice .pdf.eml	Get hash	malicious	Unknown	Browse	89.221.225.227
	http://url5148.librariapena.com/ls/click?upn=u001.GicqFEndYG5aFpuN1ngPufTfXrsQ9xNlNirpytR4MM9aBsYYFODsiAPftWqmKpvrE6ff_B2fWkfszhSflnL0HA3FnQqEKk1HJkizy-2Fud2LEQeI5aha2K2G6ppF2O0bL7D7H7LMN8WGu5xRF2M8uaTM6MXf6DAMaADWmIUL1YqZWKrQh1g-2F0n0cxV2mRrNZEteUwfW5DOdClcZ0c7E-2FIhACBFYnzvVFSnfSt3CZCN7P1EL1QyPVm42KBQGCDp3btvtG-2BbRJha-2FOyJXx-2BDZbno3l2jsvw-2FwkacYeoKE0uINsamNbg0rV0A52QCvn7k6VYTShXjbi9u51Z787-2F01bX1DTA9aSBSP-2FWMLEspaU-2FIdc1x-2FmRDSh7t6BQtQAtVlDsdci-2FkdE5XEzXcy1T7RT1mRx0Z8c0C7T5TxNvH7MOJLp-2BPx4LTMm4cKm4w-2Br4av4rqX3sFI-2B0Z54CPJjpfmgkQpOwbMxDkpsmVoLcKhd8rV7DcMtFguJaotRS3nEWM4vOO-2FegVGhzrwPBH6NjA2esFflr-2FYmA56ZztqyuVYNkq6vFbZhu3qpImgcxi-2BBybDKRWWCy9ZJhz5kW6d7c5iFMdA14shvBlO5oteNsOg1T8Wcd4MIJllivR5RQLa6JKyKUfgK8kF9DoOU4JGzocfITKQs9Z05ET92-2FS1aC5wu-2FuyffXQ4VOTrXPB9d3zUlvAaEdOc87CGa5e4y4lu-2F-2B9njpJqjlihSLoXPx3uHJhhT5l60Eu-2Fd0OnNMVN2uGoOn8P4Kyfxcr-2B3atbrIS84kkAo7VV7ElDHFn2Wn-2B0iZqwoFL1t1YCz2cR3xAkH3Dm45o7ag9bF7tv0L4g2t8v1fAwuiPylHAHkqFOEcwcDndKNNLE7ObrCi0wDxBijc-2FYVZU6-2F0yIfBAmiocABK2NEl2-2F-2FPMERnDYg-3D-3D	Get hash	malicious	HTMLPhisher	Browse	89.221.225.227

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.8046022951415335
Encrypted:	false
SSDEEP:	24:suZOWcCXPRS4QAUs/KBy3TYI42Apvl6wheXpktCH2Yn4KgISQggggFpz1k9PAYHu:HBRh+sCBykteatiBn4KWi1+Ne
MD5:	DA597791BE3B6E732F0BC8B20E38EE62
SHA1:	1125C45D285C360542027D7554A5C442288974DE
SHA-256:	5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
SHA-512:	D8DC8358727590A1ED74DC70356AEDC0499552C2DC0CD4F7A01853DD85CEB3AEAD5FBDC7C75D7DA36DB6AF2448CE5ABDFF64CEBDCA3533ECAD953C061A9B338E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	...... .... .........(... ...@..... ...................................................................................................................................................................................................N...Sz..R...R...P...N..L..H..DG..........................................................................................R6..U...U...S...R...P...N..L..I..F..B...7...............................................................................S6..V...V...U...S...R...P...N..L..I..F..C...?..:z......................................................................O...W...V...V...U...S...R...P...N..L..I..E..C...?...;..{7..q2$..............................................................T..D..]...S)..p6..J...R...P...N..L..I..E..B..>..;..z7..p2..f,X.........................................................A..O#..N!..N!..N!..P$..q:...P...N..K..I..E..A..=..9..x5..n0..e,...5...................................................Ea.Z,..T$..T$..T

Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	1282
Entropy (8bit):	4.385158692246699
Encrypted:	false
SSDEEP:	24:w/k5OmKMM/1RKOMFMUbasvCYn+zR38zH7rp2BOb6w3A8dn:w/k5Omn61RKONyZTn+zRqPwBi3Ao
MD5:	97B6F29DC7F68FA14E059D1732A38657
SHA1:	F91A576AF1AE52373585ED3308DFCB22964CC6C2
SHA-256:	16F32E1CC30570BCB21CDB5F4B77B4E431718A391001F44D03E6070978755E7B
SHA-512:	429037CE602015B6645AFE76D36FCDD27E77D8D51C081F319678D5ED3FAE74458C3B9410ED7B78C93E6E5BD3CC0D1E6837DB22A1E7DB3B66A390CC21060FA13E
Malicious:	false
Preview:	........+.h.t.t.p.s.:././.v.a.c.a.t.i.o.n.t.o.g.o.t.r.a.v.e.l.s...n.e.t./.f.a.v.i.c.o.n...i.c.o.~............... .h.......(....... ..... .....................................................................................................................................................................................................................................................................................................Y..1..&...?..............b........................... ...L.,...3{....O...[...9...................................].....g......}..)p....................................................."...!z..!u..............................................;............k..q.......................................mmp.........[...J...e.......................................................................WVY.LKN.YX[.....................................................FFI.jjl.................................................}}............................................

Process:	C:\Users\user\Desktop\RafaelConnect.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.8255967173958965
Encrypted:	false
SSDEEP:	192:p3p7NUxMX8A/Lp0IPt8JWHg4zXBsrZrJs:veiZ/iIPeJRJrr
MD5:	6A1A6900115EFD4956D0211D59388BF6
SHA1:	CCF7876842C734A387A1AF36C3AE01237B74AB9F
SHA-256:	7E59191B35CF5EA416FF7ED077585C2FF195A4F18E525AFF71823801F7C1A4E1
SHA-512:	04E8491369BD784B995474ECFE2F6A0CCBC3726580993D9AEA8128C871CCEFDC5D00BB9E1362E572029B65F1CF4D3F04A9AE8E3D6D68D3B46A5280B7FD1E0560
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<!..]O..]O..]O..%...]O.(N..]O.(J..]O.(K..]O.(L..]O.'/N..]O..]N..]O.M(F..]O.M(O..]O.M(...]O.M(M..]O.Rich.]O.........PE..d....d.g.........." ................`........................................p............`..........................................'..H....'..P....P.......@...............`..(....!..8............................!..8............ ...............................text...h........................... ..`.rdata....... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................................

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.031792130811916
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	RafaelConnect.exe
File size:	1'257'472 bytes
MD5:	7f4cc7b5c70bf16dabbed8fa5a6fa843
SHA1:	4c6df55517407dd0b8b1826368855e737ac36809
SHA256:	dd62b33333cd1aab1345cdab28d7bcba0f8be11f79a76eb0c3674d3d0677282c
SHA512:	c39aeaafbd62c4bc95e3f3690fa496ea994c8dd468e9dbd0553042aede96fee6dc9d25592676289a42c94d3da06c329ec777a62719a057afa47c79de6875f304
SSDEEP:	12288:yfLaQYIeHryE7JESZz9nJFHvzHcKiEug8Lo+yLn5HB:yuIbE7JESZxHvzHcKio8LyZB
TLSH:	A345175298A813CAF590FBBFE1368935E37E9D6169759CD49819F8E323B31C10B8087D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0......4........... .....@..... .......................`............@...@......@............... .....

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x801FD091 [Fri Feb 12 06:24:17 2038 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf2000	0x43220	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x625ac	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xef858	0xefa00	acb936368a60cfdd101442987bd435c1	False	0.3799026799687011	data	5.76435012889828	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xf2000	0x43220	0x43400	cc15b38a86dc3dca4f7ca91eb000d37f	False	0.06842835153345725	data	1.1910693571047277	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xf2100	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 39 x 39 px/m	0.0617436458857295
RT_GROUP_ICON	0x134138	0x14	data	1.1
RT_VERSION	0x13415c	0x35c	data	0.4127906976744186
RT_MANIFEST	0x1344c8	0xd52	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.3847507331378299

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 14:26:10.965956926 CET	57021	53	192.168.2.6	1.1.1.1
Oct 31, 2024 14:26:11.121093988 CET	53	57021	1.1.1.1	192.168.2.6

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:26:12 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:26:12 UTC	8	OUT	Data Raw: 26 61 ab 21 6b 00 00 00 Data Ascii: &a!k
2024-10-31 13:26:12 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:26:11 GMT Connection: close Content-Length: 44
2024-10-31 13:26:12 UTC	44	IN	Data Raw: 58 37 77 62 44 62 31 71 47 66 69 32 56 4e 78 79 48 39 5a 45 77 4f 46 67 6a 6a 56 54 70 44 31 62 5a 43 71 4b 53 54 68 57 6a 4d 67 3d Data Ascii: X7wbDb1qGfi2VNxyH9ZEwOFgjjVTpD1bZCqKSThWjMg=

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:26:13 UTC	212	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: vacationtogotravels.net Connection: Keep-Alive
2024-10-31 13:26:13 UTC	312	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: image/x-icon Last-Modified: Mon, 25 Sep 2023 13:01:08 GMT ETag: "1695646868.0-1150-965286158" Server: Microsoft-IIS/10.0 Content-Disposition: inline; filename=favicon.ico Date: Thu, 31 Oct 2024 13:26:13 GMT Connection: close Content-Length: 1150
2024-10-31 13:26:13 UTC	1150	IN	Data Raw: 00 00 01 00 01 00 10 10 00 00 01 00 20 00 68 04 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 12 0b 00 00 12 0b 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fe ff fe fe fd ff ff ff ff ff ff ff ff ff ff fe fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fe ff ff ff ff ff ff ff ff ff ff ff ff ff fc fb f9 ff ff fe fd ff fd fc fc ff ff ff ff ff fe fd fa ff fd fd fc ff ff ff ff ff ff fe fc ff ff fe fb ff fc fc fa ff fe fe fd ff ff ff fe ff ff ff ff ff ff ff fe ff ff fe fd ff ff ff ff ff fb Data Ascii: h(

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:26:16 UTC	326	OUT	POST /upload HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 669900 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:26:16 UTC	16355	OUT	Data Raw: 6b 00 00 00 31 16 b5 04 c0 38 0a 00 05 4c 0a 99 86 8a 52 5d 64 8c 12 3d 2e c3 c6 ed 69 18 d1 8a 46 06 a3 38 d4 51 55 c3 54 4f 75 8d 78 fa 0e 57 16 eb 2b 46 6d ee 44 81 cc 67 0d b4 ce a8 3c 8c d2 34 0b 8c 1b ab bd 10 84 6a 4f d5 9d d5 6a d5 f2 30 24 c9 4b b8 3d 41 49 4c d9 29 4c 47 79 7f cf 6d 8b c5 55 bb 54 09 a9 35 29 49 01 a8 dd 41 31 32 8c c3 93 f4 50 8a 50 3a d1 59 e3 01 79 7d 41 bc 72 ee a3 d4 68 07 6b 8a 0b fd 95 e9 4c 17 26 4e 76 2b a1 a2 d5 92 5f b3 82 5d 18 79 48 d0 45 15 bb fa c7 fe 18 37 11 77 98 32 72 db 34 88 66 4c 52 8a 1a 39 b8 68 41 6d d0 66 78 5e 37 a6 88 61 f9 1b 6b 93 c2 72 4c 87 b2 ce a8 ca 41 61 ed 9e cd 94 a7 0d a0 38 58 25 e7 eb b6 33 cb 8c 0c 0f 43 a4 30 4f 6b f6 88 27 30 83 b2 e8 f6 f5 c1 0e b4 2e 5d 47 e2 a2 00 1f 0b 5d 3d 2e 14 Data Ascii: k18LR]d=.iF8QUTOuxW+FmDg<4jOj0$K=AIL)LGymUT5)IA12PP:Yy}ArhkL&Nv+_]yHE7w2r4fLR9hAmfx^7akrLAa8X%3C0Ok'0.]G]=.
2024-10-31 13:26:16 UTC	16355	OUT	Data Raw: c0 e3 50 25 71 f3 82 50 a9 c1 dc 35 54 70 12 cd b0 8c 05 3c 05 ac 40 90 70 7e e2 24 07 8f c8 96 d5 79 20 c9 d8 2f 13 cd 35 1f ca d4 50 12 4a 0d 7d 75 9f 62 52 e3 17 ca 21 3c 07 0e 6e 1f 70 12 0c 3b d9 58 47 5c 1b c2 44 9f 98 e2 24 c9 65 91 77 15 9e ad fc 09 dc cc 03 84 fd 3a 28 3a 78 3f 59 33 8e d4 49 16 44 be db 7b 14 ad 2c b6 f7 b2 b2 76 92 56 e3 b2 e3 7f c5 61 3a 73 44 2d 09 61 ce e7 5c 61 a5 84 c1 66 76 46 a5 1e 44 15 70 6a 18 a5 65 31 e3 8d 52 41 32 fc f0 ce 6b 64 3c 0e a2 af b5 38 41 05 4c 95 33 0b 81 87 c8 c0 2a 39 9d 91 46 74 aa 0a 6d 88 db 41 7d 27 c4 ea 01 77 21 b3 65 81 11 d5 36 18 32 de 1b 1f b5 c3 ec cd c7 a6 6b 0b 8e 2d 9c e4 16 32 3a 37 6a 5f 92 72 75 00 03 33 11 d6 09 d7 5c 9f b4 bf 8b 43 73 a8 9b 90 69 dc 1a e6 58 9f e2 12 86 80 f1 b0 2f Data Ascii: P%qP5Tp<@p~$y /5PJ}ubR!<np;XG\D$ew:(:x?Y3ID{,vVa:sD-a\afvFDpje1RA2kd<8AL3*9FtmA}'w!e62k-2:7j_ru3\CsiX/
2024-10-31 13:26:16 UTC	16355	OUT	Data Raw: 16 fd 2d 49 f3 d8 45 e8 4f da 91 0c c2 07 39 80 18 d9 4e b1 4e 67 a9 8f 5d 18 c3 63 fc 87 85 b4 f5 1b f6 d5 7f 47 7d 77 7d 21 7f ca 99 e2 8a d3 41 43 be 05 20 43 b9 2f 84 ca ee 66 e8 31 c5 00 9e 22 8b 25 89 74 a3 c4 54 c2 94 b7 a3 e4 39 c4 2a c9 49 fa 16 27 fa e8 e9 e5 f6 99 c0 be 5c e7 bc 51 20 02 08 af 6a ab f7 22 d5 35 3b 00 ef b8 3b 6d 70 7d 69 30 7e ec d5 d8 59 87 87 73 6f 39 1e 5a 20 96 53 5d bf d5 e6 66 5f 25 41 1d 58 a6 28 45 a9 ea 0f 9a 95 e6 42 75 0c fb ff 76 3d 3b d3 8c c9 a3 92 ea fe 04 f7 ca 5a df 68 45 57 64 27 57 1b fd fb 82 2c 75 9f 7c 09 42 96 b5 df 2c b5 c2 75 a4 11 37 13 a8 af a5 72 55 c1 58 71 ac c9 23 be e0 1a 37 bd 30 2f aa b2 60 93 45 9a 34 80 72 a1 37 0f ab ea 73 ef 50 75 21 66 52 e7 f4 d7 30 b6 bd 73 14 a9 f9 6e 7f 74 ec 06 12 05 Data Ascii: -IEO9NNg]cG}w}!AC C/f1"%tT9*I'\Q j"5;;mp}i0~Yso9Z S]f_%AX(EBuv=;ZhEWd'W,u\|B,u7rUXq#70/`E4r7sPu!fR0snt
2024-10-31 13:26:16 UTC	16355	OUT	Data Raw: 54 70 7c 6e df cb ac a8 3d d2 b2 45 e7 a9 3d 5e 9e 96 a4 b5 8e 3f 0e f5 2d dd 30 0b 1f fe 8a c5 8b 9d 7b ae bc 2d 40 d6 97 56 1b 16 48 7b 7b 56 09 93 21 d3 14 6a 34 27 1a 49 65 43 23 bf d9 2b 79 e7 fd 22 ab b8 5a 49 19 a5 ae a5 dd 10 22 79 c5 a1 23 c6 67 a3 7f 0f b0 ed 9f 4d b4 57 67 67 05 f2 71 8e 9b 1f 4e e9 83 ba 43 61 12 05 88 0d 6b 65 40 90 39 2e ed 21 6b 79 91 b9 79 0b a5 d9 ba 1c 37 fd 05 a0 5f 5e 38 00 24 61 7a 73 70 92 c2 e4 7c bc fc 8f 71 a2 44 1d 52 80 b0 8b 87 f2 f6 a3 69 1a b5 60 06 d1 bc 62 da ec 78 59 fd 03 4d 93 12 1a 2e c7 84 7c 36 67 d7 c1 6c 0a 94 54 f6 65 d1 11 76 e7 2d b7 25 8f 23 3c f2 30 e8 ba ab 45 29 30 c9 13 74 b5 cb 39 79 26 46 5d f9 bd 16 26 5a 8b 86 d8 eb ad 80 3a 16 b7 1b 74 37 19 92 0f e6 e6 2e 47 92 d0 68 31 b4 de 5e 50 a8 Data Ascii: Tp\|n=E=^?-0{-@VH{{V!j4'IeC#+y"ZI"y#gMWggqNCake@9.!kyy7_^8$azsp\|qDRi`bxYM.\|6glTev-%#<0E)0t9y&F]&Z:t7.Gh1^P
2024-10-31 13:26:16 UTC	16355	OUT	Data Raw: f7 e8 fd 2d 07 01 6b 48 ed 89 08 02 35 e3 4f 56 b1 98 05 b8 82 8e 6e 5d 65 01 c7 09 07 99 76 3d 1b 21 47 7d fa 6f 37 9a 1a 30 e7 a3 b0 e6 be f1 28 1f 69 84 83 f6 d7 65 80 01 31 ea e4 cf a8 30 97 a7 76 7d e6 43 e3 6c 5d ad 3e 26 ec 34 d9 0a cf b0 fa 08 c1 84 04 05 fa f8 01 bb 2a c8 cd b4 a8 88 d7 e0 f6 1e 9a fc a3 aa b7 a0 9c d9 ee 40 a2 42 6e 80 c0 13 dc b3 92 b5 59 a5 4d 79 4a 33 11 2d 1e 92 22 cb bb 8b 9e 4c 3a 2f 14 c6 f5 65 80 04 a2 28 0d fe 7f 17 a6 be 78 ab 7d 78 ee b3 1a f4 be cb bd 09 d9 2f 45 d7 05 9d 96 47 b1 f0 81 0d 73 f4 38 81 ef 9a e6 90 58 9a cc 1a ce dc cc c8 a1 0a 5b b8 17 2c 16 08 85 cd 72 36 fb 4b 0a 86 d9 ce 99 59 2e ef 33 fc fa 9b 39 8b df d9 0d 10 a9 38 8d 6a e6 be 59 a9 29 de 42 05 f1 ac 2b 28 a9 45 eb f7 0a e0 a4 de 91 6e a5 05 32 Data Ascii: -kH5OVn]ev=!G}o70(ie10v}Cl]>&4*@BnYMyJ3-"L:/e(x}x/EGs8X[,r6KY.398jY)B+(En2
2024-10-31 13:26:16 UTC	16355	OUT	Data Raw: 31 d6 25 f4 60 f8 9b ca 85 c1 0a d4 83 81 28 92 00 dc 85 fd 23 cb c0 57 86 0a a2 19 b2 1a 9c 0b b4 ba 49 8e d4 6b f9 ae ed be 95 0d 84 a6 53 0d a6 e4 0c 3b ae 1b c4 2e 51 6a c1 6a 4a a5 29 6b a2 26 bb 25 09 f4 7c 97 e5 44 98 f6 73 b7 bb e7 c6 aa 04 2e 58 f0 30 e9 e5 83 e0 db 91 92 f0 e4 c6 aa fe 16 09 35 e3 7e 28 a2 c0 15 ab ea 06 7f 33 ce 76 0a 1a d9 5a 0d df b9 7a ec 7e d8 e7 60 b3 67 80 1e d8 71 f3 2a 0f 3f 69 6c 23 80 94 2c 98 5f 0c 06 7f 68 92 56 cd ba 02 d3 a5 a5 e8 46 b8 db 30 90 1d 30 c0 c7 ae 94 da 8e 51 98 76 cd 26 ea 18 ec 45 ff 51 99 9b 05 7c d4 a2 12 4f 78 7b 2e 7c 34 c9 be b0 45 d4 5d a9 6e f2 e6 53 bf 70 61 f7 13 3d 0c 9a 4d bb c4 bb d4 e7 9b d2 43 cd 9d 20 24 39 74 2c bd cc b0 9e ad 1b ca c3 a6 6e 2f ee e8 b5 76 b9 64 25 49 cc d3 19 20 c1 Data Ascii: 1%`(#WIkS;.QjjJ)k&%\|Ds.X05~(3vZz~`gq*?il#,_hVF00Qv&EQ\|Ox{.\|4E]nSpa=MC $9t,n/vd%I
2024-10-31 13:26:16 UTC	16355	OUT	Data Raw: 59 11 87 a7 03 e4 97 37 92 43 9f 01 8e 3e 70 14 24 ec 97 a8 f7 e1 94 a2 e1 fb d0 33 4f ab 91 d5 33 43 01 30 bd 7f a5 f5 97 c9 9a 00 cf 9e 8a cf 54 05 e4 46 28 6f b5 4e 51 a1 93 42 87 c2 d4 72 c9 c3 ca 32 3a 70 5a e3 05 35 d1 7a 73 33 f4 6b ab 1b d9 c0 61 8b 45 ef e4 bc fe db f2 c4 55 27 1c cf cb de 3d 0d 29 60 a8 4d 97 c6 77 59 9d b3 67 b7 39 58 f4 e2 09 14 7c 63 b7 97 bd f8 24 bf ba 3e ec 21 62 e6 e9 52 39 fe 8b 63 29 1a 40 a2 d7 e1 05 f8 04 02 33 4b 61 01 56 69 fb 15 e6 f2 b9 9f 5f 43 dd df 73 ad 19 96 5f 52 6b 8d a1 2e 2d c3 a4 84 21 3a 2c eb 73 5d 74 3c 59 b0 52 6b 58 03 08 6c 55 bc 65 23 67 84 8d 96 a5 52 d9 70 e1 2d aa 31 85 eb 80 23 2a 1a 7b fa fb 36 15 79 5f b6 1a a9 f5 7b 63 34 b9 62 5a 7e 20 c5 b9 ed 71 f4 54 8a 16 5c 08 7d eb bd cc 78 8f d1 25 Data Ascii: Y7C>p$3O3C0TF(oNQBr2:pZ5zs3kaEU'=)`MwYg9X\|c$>!bR9c)@3KaVi_Cs_Rk.-!:,s]t<YRkXlUe#gRp-1#*{6y_{c4bZ~ qT\}x%
2024-10-31 13:26:16 UTC	16355	OUT	Data Raw: 04 99 fc 54 9b 19 38 3a 69 3e 96 55 74 f2 29 41 35 da bd fd 15 9e a3 43 5a 6b ae e1 f0 33 3d f1 80 64 24 7e d9 6b e9 42 ae bc 3e e6 da c7 e1 fd 11 e6 d6 5e 5c f8 7e 51 3d 88 33 e6 64 8b ec 03 1a 6f 15 2a a9 29 e7 62 54 6c f2 27 45 07 00 38 59 ef 15 01 29 ab 18 f3 97 64 95 31 07 67 c6 5e 6c bf dd da 9e f2 e1 d5 9a b8 b4 97 e9 27 62 90 d6 eb 0b 85 93 3a cb 3a 6e 46 69 2b f9 33 3a 0c 36 9b 66 e2 d2 f7 93 1c 9f 75 82 36 f4 1b 72 af a5 91 0d 71 ee 6b 86 3c 6a 25 cc cd 52 05 be 5c 86 3c 4e 1a 55 6d 5c 76 fe d6 14 38 ed 95 60 f6 a0 44 1c fe 19 fb 5e 11 95 51 da 72 20 68 d3 16 e5 ee cf db 5a 56 b7 98 77 c6 fb c2 3d 69 c2 40 fd 2d 8c 14 35 29 cd 58 7b 12 8b 38 27 a9 25 65 81 c7 10 3a 5a 65 df cd 97 42 7d 85 bc 62 26 5f 98 71 b2 77 91 5a 9c 1b 88 d3 c1 0d b4 0b 8e Data Ascii: T8:i>Ut)A5CZk3=d$~kB>^\~Q=3do*)bTl'E8Y)d1g^l'b::nFi+3:6fu6rqk<j%R\<NUm\v8`D^Qr hZVw=i@-5)X{8'%e:ZeB}b&_qwZ
2024-10-31 13:26:16 UTC	16355	OUT	Data Raw: 58 47 cf 4e 39 5c cf a7 d5 02 7b f1 08 f2 ac 71 f0 6d d1 5a ef 0d 25 3f eb ec b6 a5 e2 7f 72 bd a7 65 45 67 b8 22 2e 29 1b 59 cc 6d f3 a4 5e cf 22 d6 b8 7e d9 b5 18 1a 2e b1 b2 5d e2 4c 03 99 6a 67 2e a1 55 60 d4 41 57 f1 fe 96 8d 13 6c e4 eb 1d 41 0c 51 76 a7 6f 90 8a ba e3 43 48 cd ed c9 25 fc a8 01 c5 7d 76 bb d4 06 9f fb 1a d2 41 39 15 3d c9 48 d1 91 a2 1f 87 55 f8 4c 04 da a1 57 c2 6a d9 6d aa 2c 1d 8f 16 ef 6d be 85 a7 d3 e8 ab 80 43 41 d0 6f a5 b0 96 9e ea c6 d8 a1 55 93 6d b5 2c fa cd 73 23 5d 83 e4 5b 49 61 98 7e 00 df 42 24 3c 12 64 8b aa 11 a6 1b 6d a5 fc 1b 09 9e 59 a0 70 c2 17 1e bf 81 54 6d 12 fb 12 71 f0 ed ca ae f0 ba 77 a3 53 46 0f a7 92 4f 15 28 97 f1 f1 b4 21 b4 18 d4 3b 2a 00 a5 53 3d 4e 08 db e1 f1 5d 78 0b d1 0e ac 59 6f 52 27 81 d9 Data Ascii: XGN9\{qmZ%?reEg".)Ym^"~.]Ljg.U`AWlAQvoCH%}vA9=HULWjm,mCAoUm,s#][Ia~B$<dmYpTmqwSFO(!;*S=N]xYoR'
2024-10-31 13:26:16 UTC	16355	OUT	Data Raw: 02 81 ef eb c5 77 4a df ad 17 e1 ed 9e 7e ab 95 6e b2 b4 d5 00 4f f8 a6 4f e7 aa 21 7f f3 b0 7e ca 8e 13 82 68 ca d8 ae a4 e7 63 b4 48 99 46 77 dd 7f b6 e1 18 b5 bc 23 1a c6 36 e6 4a a9 f1 55 1c f4 df 43 79 d6 50 1d 0f f9 52 f2 fa 83 ac d1 46 99 4f ab 0f 8b 5f e1 ae 0d 88 65 e8 54 5b e5 70 a0 93 d7 f3 f7 50 a7 b8 90 7c c7 43 de 44 55 4c c0 ce ae 21 df e8 78 c5 5f 03 3e 27 3e 28 e6 46 04 c5 73 a5 85 d9 a7 12 c0 1a 69 c3 93 1b e1 b0 42 da 27 aa e2 20 32 c3 3a 79 73 1b 75 57 ec 5b 34 77 6f 0f 7f a0 5a 16 55 37 f8 ae c7 7c ef ba 39 df 2b e4 13 66 ac a9 b4 45 20 19 4b 46 3a 4d 5d 52 28 16 85 56 3c 74 70 4a d7 15 fc 47 86 a2 a6 64 20 e8 e6 43 6b fd df dc 64 12 d0 4a 8c 02 c2 f5 15 33 2c 37 88 e3 8d a3 48 51 23 6c 7c bc 3b a6 7f dc 94 6f c7 7c d6 93 39 03 9f d7 Data Ascii: wJ~nOO!~hcHFw#6JUCyPRFO_eT[pP\|CDUL!x_>'>(FsiB' 2:ysuW[4woZU7\|9+fE KF:M]R(V<tpJGd CkdJ3,7HQ#l\|;o\|9

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:26:25 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:26:25 UTC	8	OUT	Data Raw: 8d 6b 95 2f 6b 00 00 00 Data Ascii: k/k
2024-10-31 13:26:25 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:26:24 GMT Connection: close Content-Length: 24
2024-10-31 13:26:25 UTC	24	IN	Data Raw: 47 4c 6e 71 35 6c 51 6d 32 46 6a 31 69 75 71 32 49 52 71 7a 78 41 3d 3d Data Ascii: GLnq5lQm2Fj1iuq2IRqzxA==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:26:32 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:26:32 UTC	8	OUT	Data Raw: 8d 6b 95 2f 6b 00 00 00 Data Ascii: k/k
2024-10-31 13:26:32 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:26:32 GMT Connection: close Content-Length: 24
2024-10-31 13:26:32 UTC	24	IN	Data Raw: 47 4c 6e 71 35 6c 51 6d 32 46 6a 31 69 75 71 32 49 52 71 7a 78 41 3d 3d Data Ascii: GLnq5lQm2Fj1iuq2IRqzxA==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:26:38 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:26:38 UTC	8	OUT	Data Raw: 8d 6b 95 2f 6b 00 00 00 Data Ascii: k/k
2024-10-31 13:26:39 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:26:38 GMT Connection: close Content-Length: 24
2024-10-31 13:26:39 UTC	24	IN	Data Raw: 47 4c 6e 71 35 6c 51 6d 32 46 6a 31 69 75 71 32 49 52 71 7a 78 41 3d 3d Data Ascii: GLnq5lQm2Fj1iuq2IRqzxA==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:26:45 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:26:45 UTC	8	OUT	Data Raw: 8d 6b 95 2f 6b 00 00 00 Data Ascii: k/k
2024-10-31 13:26:45 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:26:45 GMT Connection: close Content-Length: 24
2024-10-31 13:26:45 UTC	24	IN	Data Raw: 47 4c 6e 71 35 6c 51 6d 32 46 6a 31 69 75 71 32 49 52 71 7a 78 41 3d 3d Data Ascii: GLnq5lQm2Fj1iuq2IRqzxA==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:26:51 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:26:51 UTC	8	OUT	Data Raw: 8d 6b 95 2f 6b 00 00 00 Data Ascii: k/k
2024-10-31 13:26:51 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:26:50 GMT Connection: close Content-Length: 24
2024-10-31 13:26:51 UTC	24	IN	Data Raw: 47 4c 6e 71 35 6c 51 6d 32 46 6a 31 69 75 71 32 49 52 71 7a 78 41 3d 3d Data Ascii: GLnq5lQm2Fj1iuq2IRqzxA==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:26:56 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:26:56 UTC	8	OUT	Data Raw: 8d 6b 95 2f 6b 00 00 00 Data Ascii: k/k
2024-10-31 13:26:56 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:26:56 GMT Connection: close Content-Length: 24
2024-10-31 13:26:56 UTC	24	IN	Data Raw: 47 4c 6e 71 35 6c 51 6d 32 46 6a 31 69 75 71 32 49 52 71 7a 78 41 3d 3d Data Ascii: GLnq5lQm2Fj1iuq2IRqzxA==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:27:03 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:27:03 UTC	8	OUT	Data Raw: 8d 6b 95 2f 6b 00 00 00 Data Ascii: k/k
2024-10-31 13:27:03 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:27:02 GMT Connection: close Content-Length: 24
2024-10-31 13:27:03 UTC	24	IN	Data Raw: 47 4c 6e 71 35 6c 51 6d 32 46 6a 31 69 75 71 32 49 52 71 7a 78 41 3d 3d Data Ascii: GLnq5lQm2Fj1iuq2IRqzxA==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:27:08 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:27:08 UTC	8	OUT	Data Raw: 8d 6b 95 2f 6b 00 00 00 Data Ascii: k/k
2024-10-31 13:27:08 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:27:07 GMT Connection: close Content-Length: 24
2024-10-31 13:27:08 UTC	24	IN	Data Raw: 47 4c 6e 71 35 6c 51 6d 32 46 6a 31 69 75 71 32 49 52 71 7a 78 41 3d 3d Data Ascii: GLnq5lQm2Fj1iuq2IRqzxA==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:27:13 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:27:13 UTC	8	OUT	Data Raw: 8d 6b 95 2f 6b 00 00 00 Data Ascii: k/k
2024-10-31 13:27:13 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:27:12 GMT Connection: close Content-Length: 24
2024-10-31 13:27:13 UTC	24	IN	Data Raw: 47 4c 6e 71 35 6c 51 6d 32 46 6a 31 69 75 71 32 49 52 71 7a 78 41 3d 3d Data Ascii: GLnq5lQm2Fj1iuq2IRqzxA==

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RafaelConnect.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AE989860-978B-11EF-8C2D-ECF4BB2D2496}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AE989862-978B-11EF-8C2D-ECF4BB2D2496}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\owgs8jc\imagestore.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\registerbb09db02[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\favicon[1].ico

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\register[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\favicon[1].ico

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\registerbb09db02[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\registerbb09db02[1].htm

C:\Users\user\AppData\Local\Temp\~DF74CDFB90435CCD30.TMP

C:\Users\user\AppData\Local\Temp\~DF863B075946964495.TMP

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms (copy)

Windows Analysis Report
RafaelConnect.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:27:18 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:27:18 UTC	8	OUT	Data Raw: 8d 6b 95 2f 6b 00 00 00 Data Ascii: k/k
2024-10-31 13:27:18 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:27:18 GMT Connection: close Content-Length: 24
2024-10-31 13:27:18 UTC	24	IN	Data Raw: 47 4c 6e 71 35 6c 51 6d 32 46 6a 31 69 75 71 32 49 52 71 7a 78 41 3d 3d Data Ascii: GLnq5lQm2Fj1iuq2IRqzxA==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:27:24 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:27:24 UTC	8	OUT	Data Raw: 8d 6b 95 2f 6b 00 00 00 Data Ascii: k/k
2024-10-31 13:27:24 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:27:24 GMT Connection: close Content-Length: 24
2024-10-31 13:27:24 UTC	24	IN	Data Raw: 47 4c 6e 71 35 6c 51 6d 32 46 6a 31 69 75 71 32 49 52 71 7a 78 41 3d 3d Data Ascii: GLnq5lQm2Fj1iuq2IRqzxA==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:27:29 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:27:29 UTC	8	OUT	Data Raw: 8d 6b 95 2f 6b 00 00 00 Data Ascii: k/k
2024-10-31 13:27:29 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:27:28 GMT Connection: close Content-Length: 24
2024-10-31 13:27:29 UTC	24	IN	Data Raw: 47 4c 6e 71 35 6c 51 6d 32 46 6a 31 69 75 71 32 49 52 71 7a 78 41 3d 3d Data Ascii: GLnq5lQm2Fj1iuq2IRqzxA==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:27:34 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:27:34 UTC	8	OUT	Data Raw: 8d 6b 95 2f 6b 00 00 00 Data Ascii: k/k
2024-10-31 13:27:34 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:27:34 GMT Connection: close Content-Length: 24
2024-10-31 13:27:34 UTC	24	IN	Data Raw: 47 4c 6e 71 35 6c 51 6d 32 46 6a 31 69 75 71 32 49 52 71 7a 78 41 3d 3d Data Ascii: GLnq5lQm2Fj1iuq2IRqzxA==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:27:39 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:27:39 UTC	8	OUT	Data Raw: 8d 6b 95 2f 6b 00 00 00 Data Ascii: k/k
2024-10-31 13:27:40 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:27:39 GMT Connection: close Content-Length: 24
2024-10-31 13:27:40 UTC	24	IN	Data Raw: 47 4c 6e 71 35 6c 51 6d 32 46 6a 31 69 75 71 32 49 52 71 7a 78 41 3d 3d Data Ascii: GLnq5lQm2Fj1iuq2IRqzxA==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:27:46 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:27:46 UTC	8	OUT	Data Raw: 8d 6b 95 2f 6b 00 00 00 Data Ascii: k/k
2024-10-31 13:27:46 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:27:46 GMT Connection: close Content-Length: 24
2024-10-31 13:27:46 UTC	24	IN	Data Raw: 47 4c 6e 71 35 6c 51 6d 32 46 6a 31 69 75 71 32 49 52 71 7a 78 41 3d 3d Data Ascii: GLnq5lQm2Fj1iuq2IRqzxA==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:27:52 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:27:52 UTC	8	OUT	Data Raw: 8d 6b 95 2f 6b 00 00 00 Data Ascii: k/k
2024-10-31 13:27:52 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:27:52 GMT Connection: close Content-Length: 24
2024-10-31 13:27:52 UTC	24	IN	Data Raw: 47 4c 6e 71 35 6c 51 6d 32 46 6a 31 69 75 71 32 49 52 71 7a 78 41 3d 3d Data Ascii: GLnq5lQm2Fj1iuq2IRqzxA==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:27:58 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:27:58 UTC	8	OUT	Data Raw: 8d 6b 95 2f 6b 00 00 00 Data Ascii: k/k
2024-10-31 13:27:59 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:27:58 GMT Connection: close Content-Length: 24
2024-10-31 13:27:59 UTC	24	IN	Data Raw: 47 4c 6e 71 35 6c 51 6d 32 46 6a 31 69 75 71 32 49 52 71 7a 78 41 3d 3d Data Ascii: GLnq5lQm2Fj1iuq2IRqzxA==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:28:04 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:28:04 UTC	8	OUT	Data Raw: 8d 6b 95 2f 6b 00 00 00 Data Ascii: k/k
2024-10-31 13:28:04 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:28:04 GMT Connection: close Content-Length: 24
2024-10-31 13:28:04 UTC	24	IN	Data Raw: 47 4c 6e 71 35 6c 51 6d 32 46 6a 31 69 75 71 32 49 52 71 7a 78 41 3d 3d Data Ascii: GLnq5lQm2Fj1iuq2IRqzxA==

Timestamp	Bytes transferred	Direction	Data
2024-10-31 13:28:10 UTC	323	OUT	POST /register HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: vacationtogotravels.net Content-Length: 8 Connection: Keep-Alive Cache-Control: no-cache
2024-10-31 13:28:10 UTC	8	OUT	Data Raw: 8d 6b 95 2f 6b 00 00 00 Data Ascii: k/k
2024-10-31 13:28:10 UTC	163	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Date: Thu, 31 Oct 2024 13:28:10 GMT Connection: close Content-Length: 24
2024-10-31 13:28:10 UTC	24	IN	Data Raw: 47 4c 6e 71 35 6c 51 6d 32 46 6a 31 69 75 71 32 49 52 71 7a 78 41 3d 3d Data Ascii: GLnq5lQm2Fj1iuq2IRqzxA==